Orca Security this morning shared their discovery of an exploitation that utilizes Microsoft Azure to gain access to accounts, and potentially, move laterally within a system.
Azure security issue reported.
Orca Security reported this morning a critical exploitation of a vulnerability in Microsoft Azure Shared Key authorization, “a secret key-based authentication method to storage accounts.”
Azure Functions enable abuse of Microsoft Storage accounts.
Orca reports discovering that Microsoft Storage accounts were able to be leveraged using Azure Functions to “steal access tokens of higher privileged identities, move laterally, access critical business assets, and execute remote code (RCE).” Microsoft, according to the researchers, actually doesn’t recommend allowing storage authorization with access keys, as it creates more security risk for organizations. However, shared key authorization was found to be enabled by default on Azure Storage accounts, despite the advice against it.
Not a vulnerability, but rather a by-design flaw.
The Microsoft Security Response Center refrained from calling this a vulnerability. Instead, they have called it a by-design flaw. This means that it “cannot be fixed without making significant changes to the system’s design.” The researchers say that the lack of an implementable fix may mean this should be considered more dangerous than what we know as “vulnerabilities.” Researchers advise the disabling of Azure Shared Key authorization, and advise the use of Azure Active Directory authentication in its place. A least-privilege-forward strategy, researchers say, can greatly reduce risk.