Microsoft Acknowledges “AutoWarp” Critical Security Vulnerability Affecting Azure Automation Service

Microsoft has addressed a new critical security vulnerability in its Azure Automation service. The exploit labeled “AutoWarp” was mitigated in December 2021, and the company confirmed that it could enable malicious actors to get access to the data and resources of other Azure customers.

The cross-tenant vulnerability was first discovered by a researcher at Orca Security and reported to Microsoft on December 6, 2021. Essentially, the AutoWarp flaw allows threat actors to access the Managed Identities tokens of other tenants.

“Someone with malicious intentions could’ve continuously grabbed tokens, and with each token, widen the attack to more Azure customers,” explained Yoav Alon, CTO at Orca Security. “This attack could mean full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer.”

Screen Shot 2022 03 09 at 6.41.46 PM

Microsoft Azure Automation is a popular service that lets organizations create, deploy, monitor, as well as maintain their cloud resources. It helps users save time and resources by making it easier to automate their repetitive management tasks. The Azure Automation service provides several features and capabilities such as process automation, configuration, and update management.

Microsoft patched the AutoWarp security flaw in December 2021

The AutoWarp security flaw potentially exposed several Azure customers, and the list includes accounting firms, a banking conglomerate, a global telecom company, car manufacturers, and more. The Redmond giant released a patch on December 10 that fixed the security flaw by preventing unauthorized access to authorization tokens to all sandbox environments.

Microsoft claims that it has not found any evidence that these tokens have been exploited by threat actors in malicious attacks. However, all Azure Automation service users that may have been affected by the AutoWarp vulnerability have been notified, and the company is recommending customers follow the security guidelines available on this support page.