Pierluigi Paganini
April 11, 2023
Researchers from the security firm Orca demonstrated how to abuse Microsoft Azure Shared Key authorization to gain full access to storage accounts and potentially critical business assets. The issue can also be abused to move laterally in the environment and even execute remote code.
Microsoft already recommends disabling shared key access and using Azure Active Directory authentication instead, but experts pointed out that shared key authorization is still enabled by default when creating storage accounts.
“Orca discovered that it is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access tokens of higher privileged identities, move laterally, access critical business assets, and execute remote code (RCE).” reads the advisory published by the security firm.
Azure storage accounts can host different data objects, such as blobs and file shares. By default, Azure Storage account requests can be authorized with either Azure Active Directory (Azure AD) credentials or by using the account access key for Shared Key authorization.
Every time users create a storage account, Azure generates two 512-bit storage account access keys for the account. Microsoft warns that anyone who can obtain one of these keys can authorize access to data via Shared Key Authorization and get access to a storage account. The IT giant recommends using Azure AD authorization instead of Shared Key Authorization.
“Access to the shared key grants a user full access to a storage account’s configuration and its data.” states Microsoft.
Once obtained full-access permission to storage accounts, an attacker within the cloud environment can access information in storage accounts, including Azure functions’ sources, and manipulate their code to steal and exfiltrate an access token of the Azure Function App’s assigned managed-identity and escalate privileges.
The experts explained that if a managed identity is used to invoke the Function app, it could be abused to execute arbitrary commands.
“At this point stealing credentials and Escalating Privileges, as scary as it may sound, is fairly easy. Once an attacker locates the Storage Account of a Function App that is assigned with a strong managed identity, it can run code on its behalf and as a result acquire a subscription privilege escalation (PE).” concludes the report published by the experts. “By overriding function files in storage accounts, an attacker can steal and exfiltrate a higher-privileged identity and use it to move laterally, exploit and compromise victims’ most valuable crown jewels.”
The experts shared their discovery with the Microsoft Security Response Center, but the IT giant explained that this issue is not a vulnerability, but rather a by-design flaw, which requires significant changes to be addressed.
“As part of ongoing experience improvements, the Azure Functions team plans to update how Functions client tools work with storage accounts. This includes changes to better support scenarios using identity.” Microsoft said “After identity-based connections for AzureWebJobsStorage are generally available and the new experiences are validated, identity will become the default mode for AzureWebJobsStorage, which is intended to move away from shared key authorization.”
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft Azure)
