Microsoft is reporting that a vulnerability in its Azure Automation service was mitigated in December, following its discovery by a researcher at Orca Security, and that there’s no evidence the vulnerability was exploited by malicious actors.

If it had not been caught and fixed, the critical vulnerability could have allowed someone to cross from one tenant within Azure to another tenant — potentially allowing them to access data and resources from numerous other customers, according to Orca Security.

“You could very easily gotten a lot of access to a lot of customers,” said Yoav Alon, CTO at cloud security firm Orca Security.

The cross-tenant vulnerability, dubbed “AutoWarp” by Orca, was discovered by Orca researcher Yanir Tsarimi and reported to Microsoft on December 6, 2021. Microsoft says that it fixed the issue on December 10, 2021, by blocking any access that was not legitimate.

As a result of the AutoWarp vulnerability, Managed Identities tokens — essentially keys that provide you with access to different resources — could have been exploited to access other tenants. In a blog post, Microsoft said it “has not detected evidence of misuse of tokens.”

Microsoft said it has notified all customers with accounts that were potentially impacted by the vulnerability. The company said it did not have further comments beyond its blog post.

Azure Automation, which enables execution automation of code, is a popular service because it’s “very basic and very easy to use,” Tsarimi said.

“You could get into it in minutes, and just upload your code and use it immediately,” he said. “So I think if someone wanted to automate anything on the cloud, they would use the Azure Automation service.”

Disaster averted

AutoWarp potentially would have allowed unauthorized users to access other Azure customer accounts using the Azure Automation service — potentially enabling full control over the data and resources in targeted accounts, based on how permissions were configured, according to Orca.

The company said in a blog that its research showed that “multiple large companies were using the service and could have been accessed, putting billions of dollars at risk.” This included two car makers, a major telecommunications company, a banking conglomerate and one of the “big four” accounting firms, Orca said.

What the vulnerability allowed was “to actually take the permissions that the users gave to this automation and be able to use those permissions ourselves,” Alon said. “We didn’t do that — we just verified that we were able to do that.”

So for example, “we could have done anything that the the user has given this automation to be able to do,” he said. “We could have taken over their full account, if the permissions were not configured correctly — which a lot of people don’t do.”

Microsoft Azure, like all other cloud providers, provides multitenancy, meaning that each account is supposed to be isolated from the other accounts.

“So actually being able to take over or access someone else’s account is a very big breach,” Alon said. “It’s considered one of the biggest security breaches that you can have in the cloud. That’s one of the core promises of the cloud providers — they promise you that no other tenants will be able to access your data or your resources.”

What Orca found is that in this instance, it didn’t only affect the Azure Automation account, he noted.

“We weren’t only able to access things that are related to this specific service — we would technically able to access everything that this service could have accessed, which is far more severe,” Alon said.

‘Fixed for everyone’

Orca said that customers could have been vulnerable to AutoWarp prior to it being fixed if they’ve been using the Azure Automation service and the Managed Identity feature in their automation account was enabled. This feature is enabled by default, Orca noted.

“If you wanted to do the review yourself, you’d look at the logs and look what your managed identity accessed before that date, and if you see something suspicious, you could look into it,” Alon said. “But it’s important to mention that all tokens that could have been obtained by this vulnerability are expired. You cannot keep using the tokens … I think most customers can … sleep well at night knowing that the investigation was done [with] Microsoft.”

While this issue potentially could have affected many users, since it’s in the cloud, “once the issue is fixed, it’s fixed immediately for everyone,” he said.

Tsarimi previously discovered another cross-tenant vulnerability in January, which impacted Amazon Web Services (AWS). The vulnerability was dubbed Superglue because it affected the AWS Glue data integration service.

“We’re approaching cloud security by challenging the biggest cloud providers,” he said. “And this research is just a result of us going through something new and asking the questions that people didn’t ask before.”

Ultimately, “we just like to challenge the boundaries of cloud security and we believe it’s a long-term effort that needs to be discussed more,” Tsarimi said. “Because as you can see, with this vulnerability, there is a very, very big impact with just one simple flaw.”