Microsoft Azure ‘AutoWarp’ bug could have allowed attackers to access customer accounts


Details have been leaked of a critical vulnerability now patched in Microsoft Azure Automation service that could have allowed unauthorized access to other Azure customer accounts and taken control.

“This attack could mean full control over the resources and data belonging to the targeted account, depending on the permissions assigned by the client,” said Yanir Tsarimi, researcher at Orca Security. mentioned in a report released Monday.

The flaw potentially endangers several entities, including an anonymous telecommunications company, two automakers, a banking conglomerate and four major accounting firms, among others, the Israeli cloud infrastructure security firm added.

cyber security

The Azure Automation service allow for process automation, configuration management, and operating system update management within a defined maintenance window in Azure and non-Azure environments.

Nicknamed “Auto Warp“, the issue affects all users of the Azure Automation service who have the Managed Identity feature enabled. It should be noted that this feature is enabled by default. Following the responsible disclosure on December 6, 2021, the issue was resolved in a patch released on December 10, 2021.

Microsoft Azure

“Azure Automation accounts that used managed identity tokens for authorization and an Azure Sandbox for execution and task execution were exposed”, Microsoft Security Response Center (MSRC) mentioned in a report. “Microsoft did not detect evidence of token misuse.”

While the automation tasks are designed to be sandboxed to prevent access by other code running on the same virtual machine, the vulnerability allowed a bad actor running a task in a Azure Sandbox to get authentication tokens from other automation jobs.

cyber security

“Someone with malicious intent could have continuously grabbed tokens and with each token extended the attack to more Azure customers,” Tsarimi noted.

The disclosure comes nearly two months after Amazon Web Services (AWS) patched two vulnerabilities – dubbed great glue and BreakupTraining – in the AWS Glue and CloudFormation platforms that could have been misused to access other AWS Glue customers’ data and disclose sensitive files.

In December 2021, Microsoft also addressed another security flaw in Azure App Service that caused the source code of client applications written in Java, Node, PHP, Python, and Ruby to be exposed for at least four years since September 2017.


About Author

Comments are closed.