Microsoft responded swiftly to fix a bug in the Azure Automation service that would have allowed one account owner to access another customer’s accounts. With Azure Automation, customers can automate their cloud management tasks, update Windows and Linux systems, and more!
Thanks to the brave heroes at Orca Security, who discovered this flaw and reported it to Microsoft on December 7, 2021. By OCRA security, this vulnerability has been called Autowrap.
What is Azure Automation?
What is Autowrap vulnerability?
Azure Automation contains a critical vulnerability known as AutoWarp, which allowed unauthorized access to other Azure customer accounts using the service.
Depending on the permissions assigned by the customer, this attack could lead to full control over the targeted account’s resources and data.
An attacker can steal other Azure customers’ data, including Managed Identities authentication tokens, by exploiting this vulnerability.
Description of the vulnerability
An Azure automation job can acquire a Managed Identities token for access to Azure resources. The scope off the token’s access is defined in Automation Account’s Managed Identity. Due to the Vulnerability, a user running an automation job in an Azure Sandbox could have acquired the Managed Identites tokens of other automation jobs, allowing access to resources within the Automation Account’s Managed Identity.
Note: Automation accounts that use an Automation Hybrid worker for execution and/or Automation Run-As accounts for access to resources were not impacted.
When was the flaw discovered?
Orca Security reported the vulnerability to Microsoft on December 6, 2021. To mitigate the issue, Microsoft blocked all sandbox environments except the one with legitimate access to Managed Identities tokens on December 10, 2021.
Build Your Career as a
Azure Cloud Architect
Boost your earning potential with Azure expertise. Explore our certified Azure Courses for a high-paying career
- Explore Azure DevOps Certification
Azure Automation Service users were the only ones affected by the vulnerability. It allows Azure users to automate many Azure tasks with PowerShell or Python scripts. On Microsoft’s product information page, it suggests that customers may use ITSM, DevOps, and monitoring systems to automate processes and ensure continual delivery and management.
It was acknowledged by Microsoft that its service gave more access and “a user running an automation job in an Azure Sandbox could have acquired the Managed Identities tokens of other automation jobs, allowing access to resources within the Automation Account’s Managed Identity.”
The flaw was disclosed by both Microsoft and Orca security on March 7, along with the news that Microsoft had not detected any misuse of tokens.
Accounts that used Automation Hybrid workers or run-as accounts to access Azure resources were not affected.
Did You Fall Victim to AutoWarp?
- Microsoft was notified of the vulnerability by OCRA on December 6, 2021.
- The issue was addressed by Microsoft and they began looking for additional variants of the attack on December 10, 2021.
- Microsoft’s investigation conclusion is disclosed on March 7, 2022.
Recommendation by Microsoft:
Azure Automation service customers have been notified and recommended that best security practices be followed.
No system is perfect – such as AutoWarp and Critical Cloud Vulnerabilities like AWS Superglue and BreakingFormation. This means you need to stay vigilant of what could happen if they find an attack path that reaches your cloud environment. It’s crucial for you to have an accurate assessment of all potential avenues that could be exploited by outsiders.
So make sure you know everything about your environment by getting complete visibility of what’s happening in your company’s data and network infrastructure – especially the places where attacks may occur.
Explore our training courses on AWS, and Azure on how to secure your cloud, and check out our other blogs to keep up with current events in the cloud computing industry.