Microsoft and Orca Security spoke about a vulnerability in the Azure Automation service that allowed attackers to gain unauthorized access to other people’s Azure user accounts. As a result, they established full control over other people’s resources and data, depending on the privileges of the attacked accounts.
The AutoWarp vulnerability was discovered by Orca Security researcher Yanir Tsarimi in December 2021, Microsoft fixed it a day later. All major companies affected have been notified of the issue and are required to install the hotfix.
The vulnerabilities specifically affected Azure Automation accounts that used Managed Identities tokens for authorization, which are enabled by default, and Azure Sandbox for startup and execution.
Microsoft has not found any evidence that the tokens were used by attackers.
An Azure Automation job can obtain a Managed Identities token to access Azure resources, and the access capabilities of the token are defined in Managed Identity. The vulnerability could allow a user who ran an Azure Sandbox automation task to receive Managed Identities tokens from another automation task and thereby take over other people’s resources.
The vulnerability does not affect accounts that use Automation Hybrid to execute and/or Automation Run-As accounts to access resources.
Microsoft has blocked access to Managed Identities tokens to all sandbox environments except for those that have legitimate access.