Azure 'AutoWarp' bug allowed unauthorised account access

By

Put large enterprises at risk of full compromise.

A critical vulnerability in Microsoft's Azure Automation Service left other cloud tenants open to attacks that could assume full control of their data and resources, security researchers found.

Azure 'AutoWarp' bug allowed unauthorised account access

Security vendor Orca Security, which named the vulnerability AutoWarp, said the flaw put large companies in the telecommunications, car manufacturing, banking and acccounting sectors at risk.

The vulnerability lay within the Azure Automation Service, which allows cloud customers to run scheduled jobs with input and output provided inside of a sandbox that would isolate them from other customers code executing on the same virtual machine.

Orca Security discovered a way to interact with the internal Azure server that manages sandboxes for other customers, allowing researchers to capture managed identity access tokens.

With the tokens in hand, it would have been possible to attack and compromise other Azure customers.

A simple script that made hyper-text transfer protocol requests to transmission control protocol ports numbered above 40,000 allowed Orca to capture the access tokens.

The bug was reported to Microsoft by Orca, and fixed early December last year with customers being notified.

Microsoft fixed the vulnerability by requiring an X-IDENTITY-HEADER field for the abovementioned HTTP requests, that contains a secret value set in customers' environment variables.

At this stage, Microsoft said it has not detected any misuse of managed identities for Azure.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Google Cloud outage hits platforms

Google Cloud outage hits platforms

CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'

ASD signs $70 million AWS cloud contract

ASD signs $70 million AWS cloud contract

AWS to expand data centres in Sydney and Melbourne

AWS to expand data centres in Sydney and Melbourne

Log In

  |  Forgot your password?