Attackers could exploit a “by-design flaw” in Microsoft Azure to access storage accounts, and even execute remote code.
In a glance
- Orca has uncovered that it is feasible to exploit and employ Microsoft Storage Accounts by manipulating Azure Functions to steal higher privileged identities’ access tokens, move sideways, access crucial business assets, and execute remote code (RCE).
- Microsoft has already cautioned that enabling storage authorization with access keys is not appropriate for scenarios where specific access is required, as it can expose organizations to a greater security threat. Even though Microsoft does not recommend it, shared key authorization is still enabled by default on Azure Storage Accounts.
“Storage account access keys provide full access to the configuration of a storage account, as well as the data,” Microsoft says in its documentation. “Access to the shared key grants a user full access to a storage account’s configuration and its data.”
- After informing the Microsoft Security Response Center of this discovery, they advised that while they consider this to be a significant risk, it is not a vulnerability, but rather a flaw designed that cannot be fixed without making significant changes to the system’s design. However, this does not imply that it is less hazardous. In reality, it should be regarded as even more dangerous since there is no straightforward solution.
Mitigating the risk
- organizations should disable Azure Shared Key authorization and use Azure Active Directory authentication instead.
- by implementing the least-privilege principle, this risk (as well as other risks) can be significantly reduced.
According to Orca Platform can be notified when assigned roles containing the listKeys permission are discovered, allowing them to be adjusted according to the least-privilege principle.
Conclusion
It has become evident now that even cloud-based systems require due diligence for security. This also gives us the message that total reliance on any one storage system can be a mistake and for backing up your data, there is a need to opt for alternate methods.
Being up-to-date about the security best practices is also needed and adapting to changes is a must. Security breaches can be avoided with proper planning and strategy.