Microsoft responded swiftly to fix a bug in the Azure Automation service that would have allowed one account owner to access another customer’s accounts. With Azure Automation, customers can automate their cloud management tasks, update Windows and Linux systems, and more!

Thanks to the brave heroes at Orca Security, who discovered this flaw and reported it to Microsoft on December 7, 2021. By OCRA security, this vulnerability has been called Autowrap.

What is Azure Automation?

Azure Automation is a cloud-based automation platform that provides a comprehensive automation service at a low cost thanks to the platform’s low upfront and ongoing costs. Azure Automation allows you to automate tasks that would normally consume the time of IT and service desk personnel.
Multiple vendors, cloud platforms, and on-premise systems are compatible with Azure automation. With its PowerShell-based construction, it is very flexible when it comes to integrating with third-party products. By providing a graphical interface that minimizes the need for specific scripting skills, this platform further frees up IT staff.

What is Autowrap vulnerability?

Azure Automation contains a critical vulnerability known as AutoWarp, which allowed unauthorized access to other Azure customer accounts using the service.

Depending on the permissions assigned by the customer, this attack could lead to full control over the targeted account’s resources and data.

An attacker can steal other Azure customers’ data, including Managed Identities authentication tokens, by exploiting this vulnerability.

Description of the vulnerability

An Azure automation job can acquire a Managed Identities token for access to Azure resources. The scope off the token’s access is defined in Automation Account’s Managed Identity. Due to the Vulnerability, a user running an automation job in an Azure Sandbox could have acquired the Managed Identites tokens of other automation jobs, allowing access to resources within the Automation Account’s Managed Identity.

Note: Automation accounts that use an Automation Hybrid worker for execution and/or Automation Run-As accounts for access to resources were not impacted.

When was the flaw discovered?

Orca Security reported the vulnerability to Microsoft on December 6, 2021. To mitigate the issue, Microsoft blocked all sandbox environments except the one with legitimate access to Managed Identities tokens on December 10, 2021.

Build Your Career as a
Azure Cloud Architect

Azure Architect Certification

Boost your earning potential with Azure expertise. Explore our certified Azure Courses for a high-paying career

The Impact:

Azure Automation Service users were the only ones affected by the vulnerability. It allows Azure users to automate many Azure tasks with PowerShell or Python scripts. On Microsoft’s product information page, it suggests that customers may use ITSM, DevOps, and monitoring systems to automate processes and ensure continual delivery and management.

It was acknowledged by Microsoft that its service gave more access and “a user running an automation job in an Azure Sandbox could have acquired the Managed Identities tokens of other automation jobs, allowing access to resources within the Automation Account’s Managed Identity.”

The flaw was disclosed by both Microsoft and Orca security on March 7, along with the news that Microsoft had not detected any misuse of tokens.

Accounts that used Automation Hybrid workers or run-as accounts to access Azure resources were not affected.

Did You Fall Victim to AutoWarp?

If you were using the azure automation service then you may have been affected by this bug.
Also if the managed identity feature in your automation account is enabled that means that it could have affected you. Mostly managed identity feature in the automation account is enabled by default.

Important Timelines:

  • Microsoft was notified of the vulnerability by OCRA on December 6, 2021.
  • The issue was addressed by Microsoft and they began looking for additional variants of the attack on December 10, 2021.
  • Microsoft’s investigation conclusion is disclosed on March 7, 2022.

Recommendation by Microsoft:

Azure Automation service customers have been notified and recommended that best security practices be followed.

Final Thoughts:

No system is perfect – such as AutoWarp and Critical Cloud Vulnerabilities like AWS Superglue and BreakingFormation. This means you need to stay vigilant of what could happen if they find an attack path that reaches your cloud environment. It’s crucial for you to have an accurate assessment of all potential avenues that could be exploited by outsiders.

So make sure you know everything about your environment by getting complete visibility of what’s happening in your company’s data and network infrastructure – especially the places where attacks may occur.

Explore our training courses on AWS, and Azure on how to secure your cloud, and check out our other blogs to keep up with current events in the cloud computing industry.