Researchers this week reported on AutoWarp, a critical vulnerability found late last year in the Azure Automation service.
In a blog post that reported the issue for the first time, Orca Security researchers said Microsoft was notified of the vulnerability on Dec. 6, 2021, and fixed it four days later.
The researchers said the vulnerability could allow unauthorized access to other Azure customer accounts using the service. Such an attack could mean full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer.
While it’s good news that Microsoft patched a vulnerability within four days, this just represents another vulnerability in cloud platforms that would give criminal actors access to multiple environments, said Charles “Chuck” Everette, director of cybersecurity advocacy at Deep Instinct.
“We have seen a huge uptick in supply chain attacks, and these types of vulnerabilities are disturbing on multiple levels,” Everette said. “The good news is in this case it does not seem to be that it was weaponized, but it's definitely going to give threat actors ideas for additional angles of attack.”
Mike Parkin, senior technical engineer at Vulcan Cyber, said vulnerabilities on underlying cloud infrastructure have been a known risk for some time. Fortunately, this was discovered by an ethical researcher and Microsoft reacted within a matter of days to fix the issue.
“While there’s no evidence that it was exploited by threat actors, it’s the kind of vulnerability that keeps CISOs up at night,” Parkin said.
Joshua Aagard, vulnerability analyst on the Photon Research Team at Digital Shadows, pointed to the AutoWarp vulnerability as an example of good research and a thorough response averting a potential Azure cloud disaster. Aagard said the impacted service — Microsoft Azure Automation Service — performs process automations for such tasks as updates, configurations, and integrations.
“Infrastructure-as-a-Service at times crosses hard boundaries — the automation job in this instance acquired the Managed Identities tokens of other automation jobs, exceeding the scope of work,” Aagard said. “It's curious why exactly the settings in the Managed Identity feature in the automation account were set to ‘Enabled’ by default. However, Microsoft stepped up to the plate by mitigating the vulnerability [quickly] and reviewing for any evidence of token misuse.”