A critical security configuration in Azure Key Vault has been discovered, potentially allowing users with the Key Vault Contributor role to access sensitive data contrary to Microsoft’s documented intentions.
This finding, reported by Datadog to Microsoft Security Research Center (MSRC), highlights a significant privilege escalation risk in Azure’s cloud infrastructure.
Users assigned the Key Vault Contributor role can escalate their privileges to read and modify the contents of any key vault using access policies as its access control mechanism.
This includes access to keys, certificates, and secrets, which goes against Microsoft’s original documentation stating that this role “does not allow you to access secrets, keys, or certificates.”
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
MSRC has stated that this configuration “is not a vulnerability” as “key vault contributors can manage the key vault access policies.”
In response, Microsoft has updated the Key Vault Contributor role documentation, clarifying that this role “can grant themselves data plane access by setting a Key Vault access policy.”
An attacker with access to an account holding this role or Microsoft.KeyVault/vaults/write permission could potentially read all data in a target key vault. This commonly includes sensitive information such as:
- API keys
- Passwords
- Azure Storage shared access signatures (SAS)
- Authentication certificates
The issue was reported to MSRC on October 25, 2024, and underwent several review and documentation updates.
Microsoft closed the case on November 11, 2024, stating that the configuration is not a vulnerability. Datadog published their findings on December 16, 2024.
The vulnerability stems from conflicting permission scopes between the Azure RBAC permission model and the Key Vault access policy, reads Datadog report.
The Key Vault Contributor role, which was intended to manage key vaults without access to secrets, could modify access policies and grant itself unintended access to key vault data.
To mitigate this risk, Microsoft recommends using the Role-Based Access Control (RBAC) permission model. Additionally, organizations should:
- Remove unauthorized users from access policies
- Rotate impacted Key Vault items
- Review and implement additional security considerations
This discovery underscores the importance of understanding the nuances of cloud security configurations.
While Microsoft has updated its documentation, the incident highlights the need for continuous vigilance and regular security audits in cloud environments.