Cross Tenant Vulnerabilities Could Soon Spell a Curse on Microsoft Azure
A malicious actor can weaponize the bug to acquire the Azure Data Factory service certificate and access another tenant’s Integration Runtimes
Microsoft is reporting that a vulnerability in its Azure Automation service was mitigated in December, following its discovery by a researcher at Orca Security, and that there’s no evidence the vulnerability was exploited by hackers. Had it not been caught and fixed, the critical vulnerability could have allowed someone to cross from one tenant within Azure to another tenant — potentially allowing them to access data and resources from numerous other customers, according to Orca Security.
Disaster averted
AutoWarp potentially would have allowed unauthorized users to access other Azure customer accounts using the Azure Automation service — potentially enabling full control over the data and resources in targeted accounts, based on how permissions were configured, according to Orca.
The company said in a blog that its research showed that “multiple large companies were using the service and could have been accessed, putting billions of dollars at risk.” This included two car makers, a major telecommunications company, a banking conglomerate, and one of the “big four” accounting firms, Orca said.
Hacking the cloud
In mid-2019, an attack against Capital One’s AWS cloud environment exposed the data of 106 million customers. The breach of one of the largest U.S. banks served as a wake-up call in the world of cloud security, showing what’s possible when an attacker targets the public cloud.
But as bad as it was, the breach only impacted one company. Thanks to the architecture of the cloud, every organization’s data is kept isolated and invisible from others. An attacker who breaches a single customer’s environment cannot gain access to the rest.
“The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole,” the company said.
“The vulnerability could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant.”
In other words, a malicious actor can weaponize the bug to acquire the Azure Data Factory service certificate and access another tenant’s Integration Runtimes to gain access to sensitive information, effectively breaking tenant separation protections.
Last month, Microsoft also resolved a pair of issues — dubbed “ExtraReplica” — with the Azure Database for PostgreSQL Flexible Server that could result in unapproved cross-account database access in a region.
Limitations with Microsoft Azure’s Cross Tenant
- Requests handled by Azure Resource Manager can be performed using Azure Lighthouse. However, requests that are handled by an instance of a resource type (such as Key Vault secrets access or storage data access) aren’t supported with Azure Lighthouse. The latter also are typically data operations rather than management operations.
- Role assignments must use Azure built-in roles. All built-in roles are currently supported with Azure Lighthouse, except for Owner or any built-in roles with DataActions permission. The User Access Administrator role is supported only for limited use in assigning roles to managed identities. Custom roles and classic subscription administrator roles are not supported.
- While you can onboard subscriptions that use Azure Databricks, users in the managing tenant can’t launch Azure Databricks workspaces on a delegated subscription at this time.
- While you can onboard subscriptions and resource groups that have resource locks, those locks will not prevent actions from being performed by users in the managing tenant. Deny assignments that protect system-managed resources, such as those created by Azure managed applications or Azure Blueprints (system-assigned deny assignments), do prevent users in the managing tenant from acting on those resources; however, at this time users in the customer tenant can’t create their own deny assignments (user-assigned deny assignments).
- Delegation of subscriptions across a national cloud and the Azure public cloud, or across two separate national clouds, is not supported.
The post Cross Tenant Vulnerabilities Could Soon Spell a Curse on Microsoft Azure appeared first on .
A malicious actor can weaponize the bug to acquire the Azure Data Factory service certificate and access another tenant’s Integration Runtimes
Microsoft is reporting that a vulnerability in its Azure Automation service was mitigated in December, following its discovery by a researcher at Orca Security, and that there’s no evidence the vulnerability was exploited by hackers. Had it not been caught and fixed, the critical vulnerability could have allowed someone to cross from one tenant within Azure to another tenant — potentially allowing them to access data and resources from numerous other customers, according to Orca Security.
Disaster averted
AutoWarp potentially would have allowed unauthorized users to access other Azure customer accounts using the Azure Automation service — potentially enabling full control over the data and resources in targeted accounts, based on how permissions were configured, according to Orca.
The company said in a blog that its research showed that “multiple large companies were using the service and could have been accessed, putting billions of dollars at risk.” This included two car makers, a major telecommunications company, a banking conglomerate, and one of the “big four” accounting firms, Orca said.
Hacking the cloud
In mid-2019, an attack against Capital One’s AWS cloud environment exposed the data of 106 million customers. The breach of one of the largest U.S. banks served as a wake-up call in the world of cloud security, showing what’s possible when an attacker targets the public cloud.
But as bad as it was, the breach only impacted one company. Thanks to the architecture of the cloud, every organization’s data is kept isolated and invisible from others. An attacker who breaches a single customer’s environment cannot gain access to the rest.
“The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole,” the company said.
“The vulnerability could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant.”
In other words, a malicious actor can weaponize the bug to acquire the Azure Data Factory service certificate and access another tenant’s Integration Runtimes to gain access to sensitive information, effectively breaking tenant separation protections.
Last month, Microsoft also resolved a pair of issues — dubbed “ExtraReplica” — with the Azure Database for PostgreSQL Flexible Server that could result in unapproved cross-account database access in a region.
Limitations with Microsoft Azure’s Cross Tenant
- Requests handled by Azure Resource Manager can be performed using Azure Lighthouse. However, requests that are handled by an instance of a resource type (such as Key Vault secrets access or storage data access) aren’t supported with Azure Lighthouse. The latter also are typically data operations rather than management operations.
- Role assignments must use Azure built-in roles. All built-in roles are currently supported with Azure Lighthouse, except for Owner or any built-in roles with DataActions permission. The User Access Administrator role is supported only for limited use in assigning roles to managed identities. Custom roles and classic subscription administrator roles are not supported.
- While you can onboard subscriptions that use Azure Databricks, users in the managing tenant can’t launch Azure Databricks workspaces on a delegated subscription at this time.
- While you can onboard subscriptions and resource groups that have resource locks, those locks will not prevent actions from being performed by users in the managing tenant. Deny assignments that protect system-managed resources, such as those created by Azure managed applications or Azure Blueprints (system-assigned deny assignments), do prevent users in the managing tenant from acting on those resources; however, at this time users in the customer tenant can’t create their own deny assignments (user-assigned deny assignments).
- Delegation of subscriptions across a national cloud and the Azure public cloud, or across two separate national clouds, is not supported.
The post Cross Tenant Vulnerabilities Could Soon Spell a Curse on Microsoft Azure appeared first on .
Denial of responsibility! Techno Blender is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – [email protected]. The content will be deleted within 24 hours.