Orca Security researchers discovered two vulnerabilities in Amazon’s AWS and Microsoft’s Azure clouds that could have allowed users to access other customers’ infrastructure.
Amazon and Microsoft fixed the issues before anyone was compromised.
“That’s the beauty of the cloud,” said Yanir Tsarimi, a security researcher at Orca who discovered the issues. “If an issue like this is discovered, it’s fixed by the vendor and customers don’t have to do anything. It’s just taken care of.”
Tsarimi reported the AutoWarp cross-tenant vulnerability to Microsoft on Dec. 6, he said. Knowledge of the data centerand Microsoft fixed it four days later.
There was no evidence attackers exploited the vulnerability before it was patched, Microsoft said in a statement on Monday.
Whose are these tokens anyway
According to a report from Orca Security on Monday, there was an authentication flaw in the Microsoft Azure Automation service, which allows customers to create automations for their cloud environments.
Each client’s code runs in a sandbox, isolated from the code of other clients running in the same virtual machine.
However, the server that runs these sandboxes had a security hole and Tsarimi was able to obtain authentication tokens belonging to other clients, including a global telecommunications company, two car manufacturers, a banking conglomerate, four major law firms. accountants, etc.
It was a pretty serious flaw. Because users set up automations to do things in their cloud environment, the automations must have permissions to do those things. If attackers get their hands on the authentication tokens, they can have all that access themselves.
“So if you’re using automation to manage VMs, an attacker could take the token and interact with your VMs,” Tsarimi said. “If you allowed full access to virtual machines, the attacker would have full access.”
This could include database access or the ability to create new cryptocurrency mining workloads.
Attackers could also encrypt things or remove resources, he added.
The lesson here for businesses is to follow the principle of least privilege, Tsarimi said. With least privilege, resources get only the access to the permissions they need, and nothing more, to minimize potential risk.
There are also some best practices customers should follow for security when it comes to Azure Automation, he said.
Microsoft released best practices earlier this month, with least privilege being the top recommendation.
The idea that a cloud client can access other people’s environments sounds scary, said Yoav Alon, CTO at Orca.
But despite the existence of vulnerabilities like AutoWarp, the public cloud remains one of the most secure environments for computing workloads.
“And when we found it, it was fixed and customers didn’t have to do anything to stop being vulnerable,” he said.
In comparison, if a vulnerability is discovered in an on-premises environment, customers must perform all the fixes themselves, which can have a significant impact on their operations.
“We think it’s better for the cloud provider to fix the problem and audit malicious activity and notify customers if something happens in their account than if they had to do it all themselves,” Alon said.
The only thing that remains a mystery is how long the AutoWarp vulnerability was in place before Orca discovered it, since that information is only available to Microsoft itself.
“We can only speculate,” Alon said. “We don’t have definitive answers.” But he estimated that he may have been there for one to two years.
AWS Superglue Vulnerability
In January, Tsarimi published a report on a similar cross-tenant vulnerability in the AWS Glue service.
AWS Glue is a data integration service. In the same way that Azure Automation accesses customer cloud environments with the goal of automating them, AWS Glue accesses large amounts of data.
Again, Tsarimi was able to obtain authentication tokens to access other customers’ AWS Glue services.
The Superglue vulnerability was probably even more risky than AutoWarp, he said, but it was also a very complex exploit that required weeks of research.
“Vulnerabilities exist in all software,” Alon said. “And we also expect to find vulnerabilities in smaller cloud providers.”
Orca plans to conduct similar research on all major cloud providers, he said.