Orca Security discovers ‘AutoWarp’, cross-tenant vulnerability within Azure Automation Service

Kareem Anderson

Disclosure about a leak in Microsoft’s Azure Automation platform back in December 2021, has recently surfaced to highlight a possible cross-tenant vulnerability within the process.

According to a report from Venture Beat, Microsoft was fortunate enough to have the exploit reported by a friendly researcher from Orca Security firm who managed to find a report the Azure Automation vulnerability before any malicious hackers were able to take advantage of the lapse in security.

Had Orca not been on the case, the vulnerability had the power to allow someone to cross from one Azure tenant to another with access to customer data and information.

Orca researcher Yanir Tsarimi reported the tenant vulnerability dubbed AutoWarp, to Microsoft on December 6, 2021 and the company says it patched the exploit four days later, on December 10, 2021.

In the time prior to its discovery or the four days after, ““You could have very easily gotten a lot of access to a lot of customers,” said Yoav Alon, CTO at cloud security firm Orca Security.

Specifically, the AutoWarp vulnerability would have allowed hackers to leverage permissions put into place by businesses to help automate processes and access full account resources dependent on the current setup.

While the explanation may come off as tertiary, the mechanics are scarily simple with the exploit posing one of the most severe consequences in the cloud, according to Alon.

So actually, being able to take over or access someone else’s account is a very big breach. It’s considered one of the biggest security breaches that you can have in the cloud. That’s one of the core promises of the cloud providers — they promise you that no other tenants will be able to access your data or your resources.

Alon’s statement piggybacks on the write up from Yanir Tsarimi on the company’s blog that includes full technical details such as logs, sandboxes, timelines, and more.

Microsoft’s Azure Automation wasn’t the only cloud service provider that’s been contacted by Orca regarding cross-tenant vulnerabilities. In January, Tsarimi published another report about a similar exploit dubbed Superglue in Amazon Web Services (AWS).

We discovered a critical security issue in the AWS Glue service that could allow an actor to create resources and access data of other AWS Glue customers. The exploit was a complex multi-step process and was ultimately possible due to an internal misconfiguration within AWS Glue. The Glue service has access to large quantities of data, making it a highly attractive target.

In a similar fashion, there were no customer accounts “inappropriately accessed”, but Alon warns that simple flaws such as these will continue to have much greater impacts as more people put information into the cloud.