Security News > 2023 > April > Newly Discovered "By-Design" Flaw in Microsoft Azure Could Expose Storage Accounts to Hackers

A "By-design flaw" uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code.

"It is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access-tokens of higher privilege identities, move laterally, potentially access critical business assets, and execute remote code," Orca said in a new report shared with The Hacker News.

According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account.

"Storage account access keys provide full access to the configuration of a storage account, as well as the data," Microsoft notes in its documentation.

The cloud security firm said these access tokens can be stolen by manipulating Azure Functions, potentially enabling a threat actor with access to an account with Storage Account Contributor role to escalate privileges and take over systems.

As mitigations, it's recommended that organizations consider disabling Azure Shared Key authorization and using Azure Active Directory authentication instead. In a coordinated disclosure, Microsoft said it "Plans to update how Functions client tools work with storage accounts."

News URL

https://thehackernews.com/2023/04/newly-discovered-by-design-flaw-in.html