A now-fixed flaw in Microsoft Azure has been discovered that could have allowed attackers to target multiple companies using one of the cloud platform’s automation services.
Cybersecurity firm Orca Security this week said it had found a major flaw in Microsoft’s Azure Automation that would allow attackers to compromise multiple virtual machines on the controlling server.
The flaw, known as AutoWarp, allowed unauthorized access to other Azure customer accounts using the service. The attack could mean full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer.
Orca said the issue was reported to Microsoft and is now fixed, and all impacted customers have been notified. Affected companies reportedly included a global telecommunications company, two car manufacturers, a banking conglomerate, big four accounting firms, and more. Microsoft has noted that it has not detected evidence of misuse of the flaw.
Microsoft Azure Automation allows customers to execute automation code in a managed fashion. Each customer’s automation code runs inside a sandbox, isolated from other customers’ code executing on the same virtual machine.
However, Orca said it found a “serious flaw” that allowed it to interact with an internal server that manages the sandboxes of other customers. The security firm managed to obtain authentication tokens for other customer accounts through that server, allowing it to potentially compromise multiple companies.
Orca researcher Yanir Tsarimi was able to make HTTP requests to various ports that would yield identity tokens from Microsoft, enabling them to see subscription ID, tenant ID, and automation account resource ID. Depending on permissions, those IDs could have been used to take over other company’s accounts and services.
Tsarimi previously discovered another cross-tenant vulnerability in January, which impacted Amazon Web Services’ (AWS) Glue data integration service.
“AutoWarp, and previous critical cloud vulnerabilities such as AWS Superglue and BreakingFormation show that nothing is bulletproof and there are numerous ways attackers can reach your cloud environment,” Tsarimi said in a blog.
“We want to thank Yanir Tsarimi from Orca Security who reported this vulnerability and worked with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure (CVD) to help keep Microsoft customers safe,” said Microsoft.