A “by-design flaw” in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and execute remote code, according to cloud security firm Orca. The flaw could allow attackers to steal access-tokens of higher privilege identities, potentially access critical business assets and execute remote code.
The exploitation path used by hackers is Shared Key authorization, which is enabled by default on storage accounts. Access tokens can be stolen by manipulating Azure Functions, potentially enabling an attacker with access to an account with Storage Account Contributor role to escalate privileges and take over systems.
The flaw is caused by the way Azure generates two 512-bit storage account access keys when creating a storage account. These keys can be used to authorise access to data via Shared Key authorization, or via SAS tokens that are signed with the shared key.
“Storage account access keys provide full access to the configuration of a storage account, as well as the data,” Microsoft notes in its documentation. “Access to the shared key grants a user full access to a storage account’s configuration and its data.”
Orca recommends disabling Azure Shared Key authorization and using Azure Active Directory authentication instead.
Microsoft plans to update how Functions client tools work with storage accounts, and after identity-based connections for AzureWebJobsStorage are generally available, identity will become the default mode for AzureWebJobsStorage.
The flaw comes after Microsoft patched a misconfiguration issue affecting Azure Active Directory that made it possible to tamper with Bing search results and a reflected XSS vulnerability in Azure Service Fabric Explorer that could lead to unauthenticated remote code execution.