Microsoft announced that it has addressed a vulnerability in its Azure Automation service that could allow an attacker to gain full control of other Azure customers’ data.
AutoWarp is a critical vulnerability in the Azure Automation service that allows unauthorized access to other Azure customer accounts using the service. Depending on the privileges assigned by the customer, this attack could result in complete control over resources and data belonging to the targeted account.
Microsoft Azure Automation Service provides process automation, configuration management, and update management capabilities, with each scheduled job running inside an isolated sandbox for each Azure customer.
The vulnerability, named AutoWarp, allows an attacker to steal Managed Identities authentication tokens of other Azure customers from an internal server that manages other users’ sandboxes.
Someone with malicious intent could continuously acquire tokens and spread the attack to more Azure customers with each token
The attack could be targeted according to the privileges assigned by the customer. This means complete control over the resources and data belonging to the account.
We found large companies at risk, including a global telecommunications company, two automakers, a banking conglomerate, and a Big 4 accounting firm.
No real world use
Azure Automation accounts affected by this vulnerability include those with the Managed Identity feature enabled (according to Tsarimi, it is on by default)
Microsoft states that “Automation accounts that use Automation Hybrid Worker for execution and Automation Run-As accounts for access to resources are not affected.
On December 10, four days after the report, Microsoft fixed this security flaw by blocking access to authentication tokens outside of sandboxes with legitimate access rights.
The company disclosed the vulnerability, saying it found no evidence that the Managed Identities token was exploited or that AutoWarp was exploited in the attack.
We are notifying all affected Azure Automation service customers and recommend that they follow the security best practices outlined herein.
In December, we also fixed a bug in Azure (named NotLegit) that allowed attackers to access the source code of customers’ Azure web applications.