Critical Exploitation Path Uncovered in Microsoft Azure Shared Key Authorization by Orca Security Researchers

Researchers at Orca Security have uncovered a critical exploitation path involving Microsoft Azure Shared Key authorization, which could lead to subscription privilege escalation and remote code execution (RCE). In a blog post published on April 11, 2023, Orca Security detailed their discovery and the potential impact it may have on organizations utilizing Microsoft Azure’s cloud services.

The exploitation path involves the abuse of Microsoft Azure Shared Key authorization—a secret key-based authentication method for storage accounts. The research team at Orca Security revealed that by obtaining the Shared Key, either through a leakage or appropriate Azure Active Directory (AD) role, an attacker could gain full access to storage accounts and access potentially critical business assets. Moreover, the attacker could move laterally within the target environment and even execute remote code.

Microsoft is aware of the risks associated with Shared Key authorization and already recommends disabling Shared Key access in favor of using Azure Active Directory authentication. However, despite the known risks, Shared Key authorization remains enabled by default when creating storage accounts on the Azure platform.

Upon discovering the exploitation path, Orca Security reached out to the Microsoft Security Response Center (MSRC), who acknowledged the issue but classified it as a “by-design flaw” rather than a vulnerability. Microsoft explained that the flaw is an inherent part of the system’s design and that significant changes would be required to address it. The company is planning updates to provide improved safeguards for customers, including changes to storage account defaults for Azure Functions experiences.

Orca Security has taken swift action to help its customers reduce their exposure to the risk. The company has implemented alerts for entities found with the Azure listKeys permission, allowing organizations to disable the permission for users who do not strictly need it. By following the principle of least privilege, organizations can significantly reduce their vulnerability to this threat.

The exploitation path discovered by Orca Security poses a significant risk to organizations, particularly those that rely heavily on Microsoft Azure’s cloud services. As there is no straightforward “fix” for the by-design flaw, organizations are advised to disable Azure Shared Key authorization where possible and use Azure Active Directory authentication instead.

Mitigating the risks associated with the exploitation scenario discovered in Microsoft Azure Shared Key authorization can be achieved by applying the principle of least-privilege. This approach ensures that users and entities are granted only the permissions they strictly need, limiting the potential for unauthorized access and exploitation. Additionally, organizations can further enhance their security posture by completely disabling shared key authorization in Azure, opting instead for Azure Active Directory authentication.

Microsoft acknowledges the risks associated with shared key authorization and is actively taking steps to move away from this authentication method. In a published blog post, Microsoft provides valuable insights into best practices for securing Azure storage accounts and details the company’s ongoing efforts to improve security by transitioning away from shared key authorization. Organizations are encouraged to follow Microsoft’s guidance to strengthen their cloud security and protect against potential threats.