Cross Tenant Vulnerabilities Could Soon Spell a Curse on Microsoft Azure

A malicious actor can weaponize the bug to acquire the Azure Data Factory service certificate and access another tenant's Integration Runtimes

Microsoft is reporting that a vulnerability in its Azure Automation service was mitigated in December, following its discovery by a researcher at Orca Security, and that there's no evidence the vulnerability was exploited by hackers. Had it not been caught and fixed, the critical vulnerability could have allowed someone to cross from one tenant within Azure to another tenant — potentially allowing them to access data and resources from numerous other customers, according to Orca Security.

Disaster averted

AutoWarp potentially would have allowed unauthorized users to access other Azure customer accounts using the Azure Automation service — potentially enabling full control over the data and resources in targeted accounts, based on how permissions were configured, according to Orca.

The company said in a blog that its research showed that "multiple large companies were using the service and could have been accessed, putting billions of dollars at risk." This included two car makers, a major telecommunications company, a banking conglomerate, and one of the "big four" accounting firms, Orca said.

Hackers are targeting cloud

Reuters first reported on the vulnerability, which was discovered by Wiz research team.

Microsoft fixed the vulnerability within 48 hours of its disclosure on August 12, but that the vulnerability had been exploitable since mid-2019, according to Wiz researchers. Microsoft notified roughly over 30% of its clients about the data exposure, but researchers warn that the effects were likely more widespread.

"Every Cosmos DB customer should assume they've been exposed," Wiz researchers wrote.

Microsoft has asked customers to reset keys to their accounts as a precautionary measure, according to an email sent from the company to customers shared by a Wiz researcher.

Microsoft declined to share how many companies it notified about the potential breach.

Microsoft customers have endured a series of high-stakes vulnerabilities in the past year, at least two of which had to do with its email client Exchange.

According to protocol, last month, Microsoft also resolved a pair of issues — dubbed "ExtraReplica" — with the Azure Database for PostgreSQL Flexible Server that could result in unapproved cross-account database access in a region.

Limitations with Microsoft Azure's Cross Tenant

• Requests handled by Azure Resource Manager can be performed using Azure Lighthouse. However, requests that are handled by an instance of a resource type (such as Key Vault secrets access or storage data access) aren't supported with Azure Lighthouse. The latter also are typically data operations rather than management operations.

• Role assignments must use Azure built-in roles. All built-in roles are currently supported with Azure Lighthouse, except for Owner or any built-in roles with DataActions permission. The User Access Administrator role is supported only for limited use in assigning roles to managed identities. Custom roles and classic subscription administrator roles are not supported.

• While you can onboard subscriptions that use Azure Databricks, users in the managing tenant can't launch Azure Databricks workspaces on a delegated subscription at this time.

• While you can onboard subscriptions and resource groups that have resource locks, those locks will not prevent actions from being performed by users in the managing tenant. Deny assignments that protect system-managed resources, such as those created by Azure managed applications or Azure Blueprints (system-assigned deny assignments), do prevent users in the managing tenant from acting on those resources; however, at this time users in the customer tenant can't create their own deny assignments (user-assigned deny assignments).

• Delegation of subscriptions across a national cloud and the Azure public cloud, or across two separate national clouds, is not supported.