A “By-Design” flaw in Microsoft Azure can allow storage accounts takeover

A flaw in Microsoft Azure could be exploited by attackers to gain access to storage accounts, perform lateral movements, and even execute remote code.

Researchers from the security firm Orca demonstrated how to abuse Microsoft Azure Shared Key authorization to gain full access to storage accounts and potentially critical business assets. The issue can also be abused to move laterally in the environment and even execute remote code.

Microsoft already recommends disabling shared key access and using Azure Active Directory authentication instead, but experts pointed out that shared key authorization is still enabled by default when creating storage accounts.

“Orca discovered that it is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access tokens of higher privileged identities, move laterally, access critical business assets, and execute remote code (RCE).” reads the advisory published by the security firm.

Azure storage accounts can host different data objects, such as blobs and file shares. By default, Azure Storage account requests can be authorized with either Azure Active Directory (Azure AD) credentials or by using the account access key for Shared Key authorization.

Every time users create a storage account, Azure generates two 512-bit storage account access keys for the account. Microsoft warns that anyone who can obtain one of these keys can authorize access to data via Shared Key Authorization and get access to a storage account. The IT giant recommends using Azure AD authorization instead of Shared Key Authorization.

“Access to the shared key grants a user full access to a storage account’s configuration and its data.” states Microsoft.

Once obtained full-access permission to storage accounts, an attacker within the cloud environment can access information in storage accounts, including Azure functions’ sources, and manipulate their code to steal and exfiltrate an access token of the Azure Function App’s assigned managed-identity and escalate privileges.

The experts explained that if a managed identity is used to invoke the Function app, it could be abused to execute arbitrary commands.

“At this point stealing credentials and Escalating Privileges, as scary as it may sound, is fairly easy. Once an attacker locates the Storage Account of a Function App that is assigned with a strong managed identity, it can run code on its behalf and as a result acquire a subscription privilege escalation (PE).” concludes the report published by the experts. “By overriding function files in storage accounts, an attacker can steal and exfiltrate a higher-privileged identity and use it to move laterally, exploit and compromise victims’ most valuable crown jewels.”

The experts shared their discovery with the Microsoft Security Response Center, but the IT giant explained that this issue is not a vulnerability, but rather a by-design flaw, which requires significant changes to be addressed.

“As part of ongoing experience improvements, the Azure Functions team plans to update how Functions client tools work with storage accounts. This includes changes to better support scenarios using identity.” Microsoft said “After identity-based connections for AzureWebJobsStorage are generally available and the new experiences are validated, identity will become the default mode for AzureWebJobsStorage, which is intended to move away from shared key authorization.”

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

The Teacher – Most Educational Blog
The Entertainer – Most Entertaining Blog
The Tech Whizz – Best Technical Blog
Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Azure)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.