A Flaw in Azure's Shared Key Authorization Poses Risk to Cloud Security

  |  Source: 

A Flaw in Azure's Shared Key Authorization Poses Risk to Cloud Security

Category: Cloud Security | Industry: Global | Level: Tactical | Source: Orca

Researchers from Orca Security have identified a 'by-design flaw' in Microsoft Azure resulting from their implementation of Shared Key authorization. Through this exploit, Orca asserts "it is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access tokens of higher privileged identities, move laterally, access critical business assets, and execute remote code (RCE)." Whilst the issue was presented to and acknowledged by Microsoft from Orca. Microsoft has categorized the issue as a "by-design flaw" instead of a vulnerability because it would require considerable modifications to the system design to address. Therefore, Microsoft has decided to fix the flaw through updates. Additionally, while Microsoft's recommendation is to use Azure Active Directory authentication, Shared Key authorization remains the default method when storage accounts are created. Furthermore, based on Microsoft's documentation, once the storage account is created, "Azure generates two 512-bit storage account access keys for that account.” These keys are comparable to the "root password for your storage account."

This exploit is critical as it enables attackers to repeatedly abuse Azure access keys as a steppingstone into organizations. This is reminiscent of attackers who abused public Amazon S3 storage buckets. A malicious actor with complete access permissions to storage accounts in the cloud environment can easily identify dedicated storage accounts hosting the source code for Azure functions, and manipulating the code to their advantage. This enables lateral movement within the system, as the Function Apps host their source code inside dedicated storage accounts that can be exploited to escalate privileges and take control of systems. Additionally, using a managed identity to call the Function app can allow the execution of any command.

Anvilogic Scenario:

  • Azure Suspicious Access & Recon with List Command

Anvilogic Use Cases:

  • Azure Brute Force Signin
  • Azure Suspicious Storage Access
  • Azure List Storage

Get trending threats published weekly by the Anvilogic team.

Sign Up Now