Security News > 2022 > March > Microsoft Azure 'AutoWarp' Bug Could Have Let Attackers Access Customers' Accounts

Details have been disclosed about a now-addressed critical vulnerability in Microsoft's Azure Automation service that could have permitted unauthorized access to other Azure customer accounts and take over control.

The Azure Automation service allows for process automation, configuration management, and handling operating system updates within a defined maintenance window across Azure and non-Azure environments.

Dubbed "AutoWarp," the issue affects all users of the Azure Automation service that have the Managed Identity feature turned on.

"Azure Automation accounts that used Managed Identities tokens for authorization and an Azure Sandbox for job runtime and execution were exposed," Microsoft Security Response Center said in a statement.

While the automation jobs are designed to be isolated by means of a sandbox to prevent access by other code running on the same virtual machine, the vulnerability made it possible for a bad actor executing a job in an Azure Sandbox to obtain the authentication tokens of other automation jobs.

In December 2021, Microsoft also resolved another security weakness in the Azure App Service that resulted in the exposure of source code of customer applications written in Java, Node, PHP, Python, and Ruby for at least four years since September 2017.

News URL

https://thehackernews.com/2022/03/microsoft-azure-autowarp-bug-could-have.html