Microsoft and Orca Security specialists have revealed details about a dangerous vulnerability in the Azure Automation service, which provided attackers with the opportunity to gain unauthorized access to other people’s Azure user accounts. Thus, attackers could seize full control over other people’s resources and data, depending on the privileges of the attacked accounts.
The vulnerability, dubbed AutoWarp, was discovered by Orca Security researcher Yanir Tsarimi on December 6, 2021, and Microsoft fixed it on December 10. Details about the problem have been published only now, when all affected large companies using Azure Automation have been notified about it and had to install a fix.
The vulnerabilities were exposed to Azure Automation accounts that used Managed Identities tokens for authorization (enabled by default) and Azure Sandbox for startup and execution. Microsoft has not found any evidence of the use of tokens by attackers.
An Azure automation job can get a Managed Identities token to access Azure resources. Token access capabilities are defined in Managed Identity. Due to the vulnerability, the user who started the Azure Sandbox automation task could receive Managed Identities tokens of another automation task and thereby gain access to other people’s resources.
The vulnerability does not affect accounts using Automation Hybrid for execution and/or Automation Run-As accounts for accessing resources.
Microsoft fixed the issue on December 10, 2021 by blocking access to Managed Identities tokens to all sandbox environments except the one with legitimate access.