hngopher.com

       [HN Gopher] Critical cross-account vulnerability in Microsoft Az...
       ___________________________________________________________________
        
       Critical cross-account vulnerability in Microsoft Azure automation
       service
        
       Author : arkadiyt
       Score  : 136 points
       Date   : 2022-03-07 16:34 UTC (6 hours ago)
        
 (HTM) web link (orca.security)
 (TXT) w3m dump (orca.security)
        
       | theknocker wrote:
        
       | HL33tibCe7 wrote:
       | This seems like a fairly glaring oversight that really shouldn't
       | have happened.
       | 
       | Between this and
       | https://www.rapid7.com/blog/post/2021/09/15/omigod-how-to-au...,
       | I'm starting to lose faith in the security of Azure.
        
         | delusional wrote:
         | I'm worried Azure is getting too large to handle. It's like
         | outlook, where 3 clicks and lead you into the old UI from the
         | 90s. Microsoft seems addicted to breadth of features instead of
         | quality of implementation.
        
         | wronglebowski wrote:
         | Where I work recently disclosed another vulnerability in a
         | similar vein.
         | 
         | https://sra.io/blog/letitgo-a-case-study-in-expired-domains-...
         | 
         | Spooky stuff for sure.
        
         | syshum wrote:
         | I have been told a number of times I should give up on OnPrem
         | because I could never afford to match the security of the
         | cloud.....
         | 
         | The more the cloud is exposed as "just someone else's computer"
         | the easier it is to push back the often false narrative of "too
         | big to be insecure"
        
       | Godel_unicode wrote:
       | Before you freak out too much, this bug has been closed. See
       | below from the finders Twitter feed. Before you relax too much,
       | this was horrifying and you should seriously consider rolling
       | managed identities as well as auditing their usage in your
       | tenants.
       | 
       | "The issue was found and reported all in the same day. Microsoft
       | fixed it within 4 days, classified it with critical severity and
       | awarded a $40,000 #BugBounty"
        
         | Veserv wrote:
         | One of the top cloud companies who everybody assumes are
         | supposed to have security and security experts beyond what you
         | can deploy, which is one of the main reasons given for why you
         | should move to cloud deployment, sold a critical administration
         | service implying it had high security [1] to unsuspecting
         | customers. Where as, in reality, it took a single researcher
         | who had _never heard of the product before_ and who is
         | unfamiliar with the tech stack used in its creation _less than
         | one day_ to completely compromise it. By the internationally
         | recognized Common Criteria standard [2], this would constitute
         | a attack far below even Basic, the lowest certifiable level.
         | 
         | This has happened time and time again to the point where their
         | repeatable security design, process, and validation is
         | demonstrably systemically incapable of rejecting even grossly
         | insecure systems. The benefit of the doubt for the quality of
         | their systems should not be extended to a process that
         | consistently produces abject failures. To assume anything other
         | than the level of quality they produce regularly is an
         | extraordinary claim that requires extraordinary evidence and
         | independent objective verification. So actually, yes, you
         | should freak out if you rely on the security of Azure (or any
         | other cloud for that matter) without independently verifying
         | the quality of _every single service_ you use since their
         | pattern of grossly incompetent security process means you
         | should default to assuming their systems are terrible.
         | 
         | [1] https://azure.microsoft.com/en-
         | us/services/automation/#secur...
         | 
         | [2]
         | https://www.commoncriteriaportal.org/files/ccfiles/CEMV3.1R5...
        
         | belter wrote:
         | $40,000 is an incredibly low amount this type of severity
         | finding.
        
       | orf wrote:
       | Great find, but I must say that I find the author of the post
       | highlighting a quote from himself to be a bit jarring.
        
       | sylens wrote:
       | This is right after the ChaosDB disclosure in August. What is
       | going on over at Azure?
        
         | randomfool wrote:
         | You skipped over Omigod which was right after ChaosDB.
         | https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-o...
        
           | sylens wrote:
           | Even worse.
        
         | semicolon_storm wrote:
         | As someone who works for a company that heavily utilizes Azure:
         | 
         | 1. Try to hard to get security to be "it just works" feature
         | 
         | 2. Too much handwavy "it's secure because we're in the cloud
         | and say it's secure" logic going on
        
       | upbeat_general wrote:
       | This is pretty horrifying. I've worked on a project that did
       | something similar with having services created on random ports
       | but not only was this not a public service, it was removed from
       | the design before deployment. I can't imagine deploying something
       | like this for a _public_ cloud service that manages account
       | actions with user-generated code.
       | 
       | Security flaws happen but as someone who's not a security
       | professional, this seems pretty inexcusable to me.
        
         | hughrr wrote:
         | The real mockery is it shows you exactly how much the
         | independent certifications they have mean which everyone uses
         | as due diligence check boxing.
        
           | bushbaba wrote:
           | The certs check for process issues such-as not updating your
           | OS. They don't check for poor design.
        
             | acdha wrote:
             | That's the point: too people look at those certifications
             | and see them as an end point rather than the floor of what
             | anyone running a computer should do.
        
       | [deleted]
        
       | tempnow987 wrote:
       | tldr: Microsoft provides a web service that returns user
       | authentication tokens based on port of the request for users
       | using the service without the user having to validate their
       | identity!
       | 
       | The default values of the service include Managed Identity being
       | set to ON.
       | 
       | This default means you don't have to provide or rotate any
       | secrets and the service (which you can get a token to without
       | authenticating) has access to all resources that can be
       | authenticated with Active Directory. So full compromise at root
       | level through a GET request to an endpoint with no
       | authentication.
       | 
       | Do I have this right? Wow.
        
         | yourself92 wrote:
         | Need the keys to the castle? Just ask!
        
       | intunderflow wrote:
       | Didn't Azure have another massive security vulnerability just a
       | few months ago?
        
       ___________________________________________________________________
       (page generated 2022-03-07 23:00 UTC)