Azure API Vulnerabilities Expose VPN Keys and Grant Over-Privileged Access via Built-In Roles

Token Security experts recently conducted a thorough investigation that exposed serious security weaknesses in Microsoft Azure’s Role-Based Access Control (RBAC) architecture.

Azure RBAC, the backbone of permission management in the cloud platform, allows administrators to assign roles to users, groups, or service principals with predefined permissions at varying scopes, from entire subscriptions to specific resources.

However, the investigation unearthed that several built-in roles intended to provide limited, service-specific access are misconfigured with excessive privileges.

Roles such as Managed Applications Reader and Log Analytics Reader, among a total of 10 identified, grant the overly broad */read permission, effectively mirroring the generic Reader role.

This allows access to sensitive metadata across all Azure resources, far beyond what their descriptions suggest.

Such over-privileging can enable attackers to extract credentials from automation accounts, map network configurations for further exploitation, and uncover critical data in storage accounts or backup vaults, creating a fertile ground for privilege escalation and attack planning.

Exploiting Azure API to Leak VPN Pre-Shared Keys

Compounding the issue, researchers discovered a severe vulnerability in the Azure API that permits the leakage of VPN Gateway pre-shared keys (PSKs) using only read permissions.

Typically, Azure enforces permissions through HTTP method distinctions read-only operations use GET, while sensitive data retrievals are safeguarded with POST requests to block unauthorized access.

However, an oversight in the API design led to the VPN connection shared key retrieval being implemented as a GET request, bypassing intended security controls.

This flaw allows an attacker with minimal read access, often obtained via the aforementioned over-privileged roles, to fetch the PSK for Site-to-Site (S2S) VPN connections.

Armed with this key, a malicious actor could establish a rogue connection, gaining unauthorized entry to internal cloud assets, virtual private clouds (VPCs), and even on-premises networks linked through the Azure VPN Gateway.

This vulnerability transforms a seemingly innocuous read permission into a gateway for deep network infiltration, particularly devastating in hybrid environments where cloud and on-premises systems intersect.

Microsoft’s Response

Upon disclosure, Microsoft classified the over-privileged roles as a ‘low severity’ issue, opting to update documentation rather than restrict the roles’ permissions, leaving organizations exposed to potential misuse.

Conversely, the VPN PSK leak was deemed ‘Important,’ prompting a swift fix by mandating a specific permission (Microsoft.Network/connections/sharedKey/action) for key access, alongside a $7,500 bounty awarded to the researcher.

To safeguard against these threats, organizations must proactively audit and restrict the use of the identified over-privileged roles, replacing them with custom roles tailored to minimal necessary permissions.

Limiting role scopes to specific resources or resource groups, rather than broad subscriptions, further reduces risk.

As cloud security remains a shared responsibility, this incident underscores the need for vigilance blind trust in provider tools can lead to catastrophic breaches.

For robust protection, continuous monitoring and validation of permissions are essential to prevent identity-driven attacks in Azure environments.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free