“Design flaws” discovered in Microsoft Azure can be exploited by attackers to gain access to storage accounts, lateral movement within the environment, and even remote code execution.
โManipulating Azure Functions to steal higher-privileged access tokens, move laterally, access critical business assets, or execute remote code (RCE) can compromise Microsoft storage. Accounts can be abused and leveraged,โ Orca said in a new document. report Share with Hacker News.
The exploit path that underpins this attack is Shared key authenticationThis is enabled by default on storage accounts.
According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. These keys can be used to authorize access to data through shared key authentication or SAS tokens signed with a shared key.
“Your storage account access key gives you full access to your storage account’s configuration as well as your data.” Note in that document. “Accessing the shared key gives the user full access to the configuration of the storage account and its data.”
The cloud security firm says these access tokens can be stolen by manipulating Azure Functions, potentially giving threat actors access to your accounts. Storage Account Contributor role Escalate privileges and take over the system.
in particular, managed identity When used to call a function app, it can be exploited to execute arbitrary commands. This is made possible by the fact that a dedicated storage account is created when you deploy your Azure Function App.
“If an attacker finds a function app’s storage account with a strong managed identity assigned to it, they can execute code on their behalf, resulting in a subscription privilege escalation (PE),” said Roi, a researcher at Orca. Nisimi said.
Learn How to Secure Your Identity Perimeter – A Proven Strategy
Improve your business security in our upcoming expert-led cybersecurity webinar: Exploring Identity Perimeter Strategies!
This means that by exfiltrating the access token of the managed identity assigned to the Azure Function app to a remote server, the attacker can elevate privileges, move laterally, access new resources, and reverse-shell on the virtual machine. can do.
โBy overriding a function file in a storage account, an attacker can steal and steal a higher privileged identity and use it to move laterally and exploit the victimโs most precious crown jewel. can be infringed,โ explains Nisimi.
As a mitigation, we recommend that organizations consider disabling Azure Shared Key authentication and using Azure Active Directory authentication instead. In a joint disclosure, Microsoft Said “We will be updating how the Functions client tools work with storage accounts.”
“This includes changes to better support scenarios using identities. After identity-based connectivity for AzureWebJobsStorage is generally available and new experiences are validated, identities will become the default mode for AzureWebJobsStorage This is intended to move away from shared key authentication.โ Added more tech giants.
The findings highlight a misconfiguration issue affecting Azure Active Directory that allows Bing search results to be tampered with, and an Azure Service Fabric Explorer (SFX) vulnerability that can lead to unauthenticated remote code execution. It arrived a few weeks after Microsoft patched the reflected XSS vulnerability.
