Microsoft responded swiftly to fix a bug in the Azure Automation service that would have allowed one account owner to access another customer’s accounts. With Azure Automation, customers can automate their cloud management tasks, update Windows and Linux systems, and more!
Thanks to the brave heroes at Orca Security, who discovered this flaw and reported it to Microsoft on December 7 2021. By OCRA security, this vulnerability has been called Autowrap.
What is Azure Automation?
What is Autowrap vulnerability?
Azure Automation contains a critical vulnerability known as AutoWarp, which allowed unauthorized access to other Azure customer accounts using the service.
Depending on the permissions assigned by the customer, this attack could lead to full control over the targeted account’s resources and data.
An attacker can steal other Azure customers’ data, including Managed Identities authentication tokens, by exploiting this vulnerability.
When was the flaw discovered?
Orca Security reported the vulnerability to Microsoft on December 6, 2021. To mitigate the issue, Microsoft blocked all sandbox environments except the one with legitimate access to Managed Identities tokens on December 10, 2021.
Azure Automation Service users were the only ones affected by the vulnerability. It allows Azure users to automate many Azure tasks with PowerShell or Python scripts. On Microsoft’s product information page, it suggests that customers may use ITSM, DevOps, and monitoring systems to automate processes and ensure continual delivery and management.
It was acknowledged by Microsoft that its service gave more access and “a user running an automation job in an Azure Sandbox could have acquired the Managed Identities tokens of other automation jobs, allowing access to resources within the Automation Account’s Managed Identity.”
The flaw was disclosed by both Microsoft and Orca security on March 7, along with the news that Microsoft had not detected any misuse of tokens.
Accounts that used Automation Hybrid workers or run-as accounts to access Azure resources were not affected.
Did You Fall Victim to AutoWarp?
- Microsoft was notified of the vulnerability by OCRA on December 6, 2021.
- The issue was addressed by Microsoft and they began looking for additional variants of the attack on December 10, 2021.
- Microsoft’s investigation conclusion is disclosed on March 7, 2022.
Recommendation by Microsoft:
Azure Automation service customers have been notified and recommended that best security practices be followed.
No system is perfect – such as AutoWarp and Critical Cloud Vulnerabilities like AWS Superglue and BreakingFormation. This means you need to stay vigilant of what could happen if they find an attack path that reaches your cloud environment. It’s crucial for you to have an accurate assessment of all potential avenues that could be exploited by outsiders.
So make sure you know everything about your environment by getting complete visibility of what’s happening in your company’s data and network infrastructure – especially the places where attacks may occur.