While cybersecurity is a dynamically evolving area where threat actors and defenders are essentially competing against each other, it doesn"t help when your product has security gaps that attackers can easily leverage from. This has happened before with Microsoft Azure where a major design flaw in Azure CosmosDB exposed customer data for years, and today, the company has disclosed details about yet another similar vulnerability, which it has now patched.
The flaw in Azure Automation service was discovered by Orca Security, and while you can find out all the nitty-gritty details here, the crux of the matter is that security hole enabled unauthorized cross-account access.
If a user was running an Azure Automation job in Azure Sandbox, they could leverage the vulnerability to get access to the Managed Identities tokens of other people too. These tokens are used to gain access to Azure resources so theoretically, someone who got access to tokens could elevate their privileges across the entire affected account.
Orca Security discovered this flaw on December 6, 2021 and reported it privately to Microsoft with the name "AutoWarp". It noted that several large companies using Azure were exposed, including a global telco, two car manufacturers, accounting firms, and a banking conglomerate. Microsoft patched the issue on December 10 and then took some more time to assess its impact and related variants. Then, on March 7, 2022, the flaw was publicly disclosed.
Microsoft has emphasized that it has found no evidence of the tokens being misused. Customers who who utilize Automation Hybrid workers for execution and Automation Run-As accounts for resource access are unaffected, but the company has notified all those impacted. Moving forward, the company has recommended Azure Automation users to follow the security guidelines detailed here.