Researchers have demonstrated abusing Microsoft Azure Shared Key authorization to gain full access to storage accounts and potentially critical business assets. Further it can be used to move laterally in the environment and even execute remote code.
Though Microsoft already recommends disabling shared key access and using Azure Active Directory authentication instead, it is still enabled by default when creating storage accounts.
Azure storage accounts can host different data objects, such as blobs and file shares. By default, Azure Storage account requests can be authorized with either Azure AD credentials or by using the account access key for Shared Key authorization.
Once the storage account has been created, Azure generates two 512-bit storage account access keys for the account. Microsoft warns that anyone who can obtain one of these keys can authorize access to data via Shared Key Authorization and get access to a storage account.
An attacker once after grabbing the keys within the cloud environment can access information in storage accounts, including Azure functions’ sources, and manipulate their code to steal and exfiltrate an access token of the Azure Function App’s assigned managed-identity and escalate privileges.
Also, if a managed identity is used to invoke the Function app, it could be abused to execute arbitrary commands. By overriding function files in storage accounts, an attacker can steal and exfiltrate a higher-privileged identity and use it to move laterally, exploit and compromise victims’ most valuable crown jewels.
Researchers shared their discovery with the Microsoft, but in turn received an update that this issue is not a vulnerability, but rather a by-design flaw, which requires significant changes to be addressed.
This research was documented by researchers from Orca Security