Azure Automation “AutoWarp” Flaw Fixed in Four Days
Microsoft fixed a critical flaw in Azure Automation late last year. Dubbed “AutoWarp,” the vulnerability could have been exploited to allow users to access and take control of other users’ accounts. Researchers from Orca Security reported the flaw to Microsoft on December 6, 2021. Microsoft fixed the vulnerability four days later.
This is a success story where responsible disclosure and prompt response by the software owner quickly closed a serious cross-tenant cloud threat. Points out two things: (1) vulnerabilities will continue to be found in cloud platforms, meaning (2) platform-specific security best practices (like Microsoft’s for Azure or the excellent Center for Internet Security Azure Benchmark (https://www.cisecurity.org/benchmark/azure) need to be following and audited against.
While it remains true that cloud security providers, especially the larger players, are able to make their platforms more secure than many organisations can make their own on-premise solutions, it should always be remembered that security is never a binary thing and continuous risk assessment, multi-layer controls, combined with detection and response capabilities still remain top priorities when you move to the cloud.
This was resolved in four days; the vulnerability disclosure agreement didn’t allow publication until March 7th. Make sure that you are following Microsoft’s best practices for Azure Automation (https://docs.microsoft.com/en-us/azure/automation/automation-security-guidelines) – use accounts with the minimum required privileges, use managed identities rather than Run As accounts and rotate keys periodically. If you must use Run As accounts, renew their certificates periodically, verify permissions are as locked down as possible. Secure credentials, certificates, connections and encrypted variables; use either Microsoft or customer managed keys to keep this information encrypted.