Описание
Azure Automation Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in Azure Automation “RunAs account” runbooks for users with contributor role. This vulnerability could potentially allow members of an organization to access Key Vault secrets through a runbook, even if these members would personally not have access to that Key Vault.
To exploit this vulnerability, an attacker must be a member of an organization who can run runbooks, with only global admins/co-admins who can create the “run as” account.
Microsoft is addressing the vulnerability by providing the following scripts for existing RunAsAutomation accounts that modify existing roles by excluding access to KeyVault within Azure Automation account.
FAQ
1. What is Azure Automation?
Azure Automation is an Azure service which executes PowerShell and Python runbooks on behalf of a user. As part of the Azure Automation service, a “RunAs account” may be created. The “RunAs account” is a Service Principal – an Azure Active Directory app which can execute actions on a user’s behalf. Azure Automation can use RunAs accounts inside of Azure Automation runbooks to access Azure resources in a programmatic way.
2. What do I need to do to protect my service against this vulnerability?
Microsoft is providing scripts that help users to:
- Restrict Automation RunAs accounts from accessing Key Vaults.
- Selectively grant Automation RunAs accounts permissions for specific Key Vaults. These scripts can be further customized by users to their individual needs.
3. Where can I find these scripts?
- https://www.powershellgallery.com/packages/Update-AutomationRunAsAccountRoleAssignments
- https://www.powershellgallery.com/packages/Extend-AutomationRunAsAccountRoleAssignmentToKeyVault
For more information about limiting Run As account permissions, see Manage Azure Automation Run As accounts.
4. How do I know if I need to run the script for RunAs accounts?
Microsoft has provided a script to help users determine if they are affected:
- Check permissions on RunAs accounts: https://www.powershellgallery.com/packages/Check-AutomationRunAsAccountRoleAssignments
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
DOS
EPSS
Связанные уязвимости
An elevation of privilege vulnerability exists in Azure Automation "RunAs account" runbooks for users with contributor role, aka 'Azure Automation Elevation of Privilege Vulnerability'.
An elevation of privilege vulnerability exists in Azure Automation "RunAs account" runbooks for users with contributor role, aka 'Azure Automation Elevation of Privilege Vulnerability'.
Уязвимость службы Azure Automation операционной системы Windows, связанная с небезопасным управлением привилегиями, позволяющая нарушителю повысить свои привилегии
EPSS