Microsoft Acknowledges “AutoWarp” Critical Security Vulnerability Affecting Azure Automation Service
Microsoft has addressed a new critical security vulnerability in its Azure Automation service. The exploit labeled “AutoWarp” was mitigated in December 2021, and the company confirmed that it could enable malicious actors to get access to the data and resources of other Azure customers.
The cross-tenant vulnerability was first discovered by a researcher at Orca Security and reported to Microsoft on December 6, 2021. Essentially, the AutoWarp flaw allows threat actors to access the Managed Identities tokens of other tenants.
“Someone with malicious intentions could’ve continuously grabbed tokens, and with each token, widen the attack to more Azure customers,” explained Yoav Alon, CTO at Orca Security. “This attack could mean full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer.”
Microsoft Azure Automation is a popular service that lets organizations create, deploy, monitor, as well as maintain their cloud resources. It helps users save time and resources by making it easier to automate their repetitive management tasks. The Azure Automation service provides several features and capabilities such as process automation, configuration, and update management.
Microsoft patched the AutoWarp security flaw in December 2021
The AutoWarp security flaw potentially exposed several Azure customers, and the list includes accounting firms, a banking conglomerate, a global telecom company, car manufacturers, and more. The Redmond giant released a patch on December 10 that fixed the security flaw by preventing unauthorized access to authorization tokens to all sandbox environments.
Microsoft claims that it has not found any evidence that these tokens have been exploited by threat actors in malicious attacks. However, all Azure Automation service users that may have been affected by the AutoWarp vulnerability have been notified, and the company is recommending customers follow the security guidelines available on this support page.
More in Security
Microsoft Defender for Individuals Gets New Identity Theft Monitoring Capabilities
Oct 4, 2022 | Rabia Noureen
Petri Dish: Cybersecurity vs IT Security with Devolutions
Sep 28, 2022 | Russell Smith
Stop MFA Fatigue with Additional Context and Number Matching for Microsoft Authenticator
Sep 22, 2022 | Rabia Noureen
Researchers Warn About New Shikitega Malware Targeting Linux Endpoints and IoT Devices
Sep 12, 2022 | Rabia Noureen
LastPass Confirms Internal Source Code Compromised in Security Breach
Aug 26, 2022 | Rabia Noureen
Avast Gets New Ransomware Shield to Protect Small Businesses
Aug 24, 2022 | Rabia Noureen
Most popular on petri