A “design flaw” found in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in environments, and even execute remote code.
“It is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access tokens from higher privilege identities, move laterally, potentially access critical business assets, and execute remote code (RCE),” Orca said in a new report. . report shared with The Hacker News.
The exploit path underlying this attack is called the mechanism Shared Key Authorizationwhich is enabled by default in the storage account.
According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. This key can be used to authorize access to data through a Shared Key authorization, or via a SAS token signed with a shared key.
“Storage account access keys provide full access to storage account configurations, as well as data,” Microsoft notes in the documentation. “Access to the shared key gives the user full access to the storage account configuration and its data.”
The cloud security firm says these access tokens can be stolen by manipulating Azure Functions, potentially allowing threat actors to access accounts with Storage Account Contributor role to elevate privileges and take over the system.
In particular, must a managed identity used to call Functions app, it can be abused to execute any command. This, in turn, is made possible due to the fact that a dedicated storage account is created while deploying the Azure Functions application.
“Once an attacker encounters a Functions-assigned application storage account with a strong managed identity, it can execute code on its behalf and obtain subscription rights escalation (PE) as a result,” said Orca researcher Roi Nisimi.
In other words, by extracting an access token from an Azure Function application’s managed identity to a remote server, a threat actor can escalate privileges, move laterally, access new resources, and run a reverse shell on a virtual machine.
“By overriding function files in storage accounts, attackers can steal and extract identities with higher privileges and use them to move laterally, exploit, and compromise a victim’s most valuable crown jewels,” explained Nisimi.
As a mitigation, we recommend that organizations consider disabling Azure Shared Key authorization and using Azure Active Directory authentication instead. In coordinated disclosure, Microsoft said it “plans to update how the Functions client tool works with storage accounts.”
“This includes changes to support scenarios that better use identities. Once identity-based connections for AzureWebJobsStorage are generally available and the new experience is validated, identities will be the default mode for AzureWebJobsStorage, intended to move away from shared key authorization,” the tech giant further added. .
The findings come weeks after Microsoft patched a configuration issue impacting Azure Active Directory that allowed tampering with Bing search results and a reflected XSS vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution.