Automatic for the people

Microsoft has fixed a critical vulnerability in its Azure Automation service that could have allowed a cloud tenant to take full control over resources and data belonging to other customers.

Microsoft Azure Automation is designed to allow customers to schedule jobs, handle input and output, and more, with each customer’s automation code running inside a sandbox, isolated from other customers’ code executing on the same virtual machine.

However, a vulnerability – discovered by Orca Security and dubbed 'AutoWarp' – shattered the sanctity of this virtualized environment.

Time warp

AutoWarp affected customers using the Azure Automation service providing the on-by-default Managed Identity feature in their automation account was enabled.

Affected customers included several large organisations, such as a global telecommunications company, two car manufacturers, a banking conglomerate, big four accounting firms and more.

Microsoft said it has contacted all the potentially affected customers.


Catch up on the latest cloud security news and analysis


Researchers at Orca discovered a flaw that allowed an attacker to interact with an internal server that manages the sandboxes of other customers in order to obtain authentication tokens for other customer accounts.

"Those tokens can be used against Azure to perform any action the customer would have given to the Azure Automation service," cloud security researchers Yanir Tsarimi and Yoav Alon of Orca Security told The Daily Swig.

"Those permissions could allow the attacker to have full control over Azure resources, like virtual machines, and/or data belonging to the customer, depending on the permissions the customer assigned."

Quick fix

These security issues were reported to Microsoft on December 6, which fixed it within four days. "The disclosure process was excellent. The people from the Microsoft Security Response Center are very friendly and responsive," according to Tsarimi and Alon.

The vulnerability is the second cross-tenant issue to have been revealed by Orca in recent months. In January, the security consultancy discovered a vulnerability in Amazon Web Services (AWS) Glue data integration service.

However, Tsarimi and Alon said that despite their research they don't believe that there are any fundamental security issues with cloud computing.

"We believe that the cloud enables customers to build more secure services faster. Software vulnerabilities exist in all types of software, and the cloud shifts large parts of the responsibility for maintaining and patching security issues away from organizations to the cloud providers," they said.

"Case in point, we found and reported a vulnerability to Azure – they quickly fixed the vulnerability [and] audited the platform to make it was not exploited by a malicious actor, without the need for the customer to take action."


YOU MAY ALSO LIKE Researcher discovers vulnerabilities in Azure Functions, stumbles across false oracle