April 11, 2023Rabbi LakshmananCloud Security / Data Security

“Design flaws” discovered in Microsoft Azure can be exploited by attackers to gain access to storage accounts, lateral movement within the environment, and even remote code execution.

“Manipulating Azure Functions to steal higher-privileged access tokens, move laterally, access critical business assets, or execute remote code (RCE) can compromise Microsoft storage. Accounts can be abused and leveraged,” Orca said in a new document. report Share with Hacker News.

The exploit path that underpins this attack is Shared key authenticationThis is enabled by default on storage accounts.

According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. These keys can be used to authorize access to data through shared key authentication or SAS tokens signed with a shared key.

“Your storage account access key gives you full access to your storage account’s configuration as well as your data.” Note in that document. “Accessing the shared key gives the user full access to the configuration of the storage account and its data.”

The cloud security firm says these access tokens can be stolen by manipulating Azure Functions, potentially giving threat actors access to your accounts. Storage Account Contributor role Escalate privileges and take over the system.

in particular, managed identity When used to call a function app, it can be exploited to execute arbitrary commands. This is made possible by the fact that a dedicated storage account is created when you deploy your Azure Function App.

“If an attacker finds a function app’s storage account with a strong managed identity assigned to it, they can execute code on their behalf, resulting in a subscription privilege escalation (PE),” said Roi, a researcher at Orca. Nisimi said.

upcoming webinars

Learn How to Secure Your Identity Perimeter – A Proven Strategy

Improve your business security in our upcoming expert-led cybersecurity webinar: Exploring Identity Perimeter Strategies!

Don’t miss it – secure your seat!

This means that by exfiltrating the access token of the managed identity assigned to the Azure Function app to a remote server, the attacker can elevate privileges, move laterally, access new resources, and reverse-shell on the virtual machine. can do.

“By overriding a function file in a storage account, an attacker can steal and steal a higher privileged identity and use it to move laterally and exploit the victim’s most precious crown jewel. can be infringed,” explains Nisimi.

As a mitigation, we recommend that organizations consider disabling Azure Shared Key authentication and using Azure Active Directory authentication instead. In a joint disclosure, Microsoft Said “We will be updating how the Functions client tools work with storage accounts.”

“This includes changes to better support scenarios using identities. After identity-based connectivity for AzureWebJobsStorage is generally available and new experiences are validated, identities will become the default mode for AzureWebJobsStorage This is intended to move away from shared key authentication.” Added more tech giants.

The findings highlight a misconfiguration issue affecting Azure Active Directory that allows Bing search results to be tampered with, and an Azure Service Fabric Explorer (SFX) vulnerability that can lead to unauthenticated remote code execution. It arrived a few weeks after Microsoft patched the reflected XSS vulnerability.

Did you find this article interesting?Please follow us twitter and LinkedIn To read more exclusive content that we post.

cropped-BTA_Logo-B-1-scaled-1
YOUR FUTURE STARTS HERE.

BLUE TRAINING ACADEMY

Register now for our membership to gain access to our elite training program and fast forward your career today!

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

cropped-BTA_Logo-B-1-scaled-1
Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog