🔐 Privileged Access Management: Learn How to Conquer Key Challengesĭiscover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.
"Once an attacker locates the storage account of a Function app that is assigned with a strong managed identity, it can run code on its behalf and as a result acquire a subscription privilege escalation (PE)," Orca researcher Roi Nisimi said. This, in turn, is made possible owing to the fact that a dedicated storage account is created when deploying an Azure Function app. Specifically, should a managed identity be used to invoke the Function app, it could be abused to execute any command. The cloud security firm said these access tokens can be stolen by manipulating Azure Functions, potentially enabling a threat actor with access to an account with Storage Account Contributor role to escalate privileges and take over systems. "Access to the shared key grants a user full access to a storage account's configuration and its data." "Storage account access keys provide full access to the configuration of a storage account, as well as the data," Microsoft notes in its documentation. These keys can be used to authorize access to data via Shared Key authorization, or via SAS tokens that are signed with the shared key. The exploitation path that underpins this attack is a mechanism called Shared Key authorization, which is enabled by default on storage accounts.Īccording to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. "It is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access-tokens of higher privilege identities, move laterally, potentially access critical business assets, and execute remote code (RCE)," Orca said in a new report shared with The Hacker News. A "by-design flaw" uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code.
0 kommentar(er)
