Microsoft Azure flawed ‘By Design’

Microsoft Azure flawed ‘By Design’: Hackers have the opportunity to attack

2 Mins Read

PUREVPNNewsMicrosoft Azure flawed ‘By Design’: Hackers have the opportunity to attack

Attackers could exploit a “by-design flaw” in Microsoft Azure to access storage accounts, and even execute remote code.

In a glance

  • Orca has uncovered that it is feasible to exploit and employ Microsoft Storage Accounts by manipulating Azure Functions to steal higher privileged identities’ access tokens, move sideways, access crucial business assets, and execute remote code (RCE). 
  • Microsoft has already cautioned that enabling storage authorization with access keys is not appropriate for scenarios where specific access is required, as it can expose organizations to a greater security threat. Even though Microsoft does not recommend it, shared key authorization is still enabled by default on Azure Storage Accounts.

“Storage account access keys provide full access to the configuration of a storage account, as well as the data,” Microsoft says in its documentation. “Access to the shared key grants a user full access to a storage account’s configuration and its data.”

  • After informing the Microsoft Security Response Center of this discovery, they advised that while they consider this to be a significant risk, it is not a vulnerability, but rather a flaw designed that cannot be fixed without making significant changes to the system’s design. However, this does not imply that it is less hazardous. In reality, it should be regarded as even more dangerous since there is no straightforward solution.

Mitigating the risk

  • organizations should disable Azure Shared Key authorization and use Azure Active Directory authentication instead. 
  • by implementing the least-privilege principle, this risk (as well as other risks) can be significantly reduced. 

According to  Orca Platform can be notified when assigned roles containing the listKeys permission are discovered, allowing them to be adjusted according to the least-privilege principle.

Conclusion

It has become evident now that even cloud-based systems require due diligence for security. This also gives us the message that total reliance on any one storage system can be a mistake and for backing up your data, there is a need to opt for alternate methods.

Being up-to-date about the security best practices is also needed and adapting to changes is a must. Security breaches can be avoided with proper planning and strategy. 

author

PureVPN

date

April 12, 2023

time

1 year ago

PureVPN is a leading VPN service provider that excels in providing easy solutions for online privacy and security. With 6000+ servers in 65+ countries, It helps consumers and businesses in keeping their online identity secured.

Related Stories

Apple and Google Introduce Alerts for Hidden Bluetooth Trackers on iOS and Android

Apple and Google Introduce Alerts for Hidden Bluetooth Trackers on iOS and Android
Posted on May 16, 2024
Phorpiex Botnet Sends Millions of Emails in LockBit Black Ransomware Attack

Phorpiex Botnet Sends Millions of Emails in LockBit Black Ransomware Attack
Posted on May 14, 2024
South Australia Wants to Ban Social Media for Kids, Soaring VPN Searches

South Australia Wants to Ban Social Media for Kids, Soaring VPN Searches
Posted on May 14, 2024

Have Your Say!!

Join 3 million+ users to embrace internet freedom

Signup for PureVPN to get complete online security and privacy with a hidden IP address and encrypted internet traffic.

Get PureVPN