Azure Cross Tenant Vulnerability

A cross tenant access flaw was disclosed that could lead to information bleed in  Microsoft’s Azure Automation platform back in December 2021.

Microsoft was fortunate enough to have the exploit reported by a researcher from Orca Security firm who managed to find a report the Azure Automation vulnerability before any malicious hackers were able to take advantage of the lapse in security. The vulnerability had the power to allow someone to cross from one Azure tenant to another with access to customer data and information.

Orca researcher reported the tenant vulnerability dubbed AutoWarp, to Microsoft on December 6, 2021, and the company says it patched the exploit four days later, on December 10, 2021.

The AutoWarp vulnerability would have allowed hackers to leverage permissions put into place by businesses to help automate processes and access full account resources dependent on the current setup.

Orca said that customers could have been vulnerable to AutoWarp prior to it being fixed if they’ve been using the Azure Automation service and the Managed Identity feature in their automation account was enabled. This feature is enabled by default.

Microsoft’s Azure Automation wasn’t the only cloud service provider that’s been contacted by Orca regarding cross-tenant vulnerabilities. In January, Tsarimi published another report about a similar exploit dubbed Superglue in Amazon Web Services (AWS).

We discovered a critical security issue in the AWS Glue service that could allow an actor to create resources and access data of other AWS Glue customers. The exploit was a complex multi-step process and was ultimately possible due to an internal misconfiguration within AWS Glue. The Glue service has access to large quantities of data, making it a highly attractive target.