A critical security configuration in Azure Key Vault has been discovered, potentially allowing users with the Key Vault Contributor role to access sensitive data contrary to Microsoft’s documented intentions.
This finding, reported by Datadog to Microsoft Security Research Center (MSRC), highlights a significant privilege escalation risk in Azure’s cloud infrastructure.
Users assigned the Key Vault Contributor role can escalate their privileges to read and modify the contents of any key vault using access policies as its access control mechanism.
This includes access to keys, certificates, and secrets, which goes against Microsoft’s original documentation stating that this role “does not allow you to access secrets, keys, or certificates.”
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
MSRC has stated that this configuration “is not a vulnerability” as “key vault contributors can manage the key vault access policies.”
In response, Microsoft has updated the Key Vault Contributor role documentation, clarifying that this role “can grant themselves data plane access by setting a Key Vault access policy.”
An attacker with access to an account holding this role or Microsoft.KeyVault/vaults/write permission could potentially read all data in a target key vault. This commonly includes sensitive information such as:
The issue was reported to MSRC on October 25, 2024, and underwent several review and documentation updates.
Microsoft closed the case on November 11, 2024, stating that the configuration is not a vulnerability. Datadog published their findings on December 16, 2024.
The vulnerability stems from conflicting permission scopes between the Azure RBAC permission model and the Key Vault access policy, reads Datadog report.
The Key Vault Contributor role, which was intended to manage key vaults without access to secrets, could modify access policies and grant itself unintended access to key vault data.
To mitigate this risk, Microsoft recommends using the Role-Based Access Control (RBAC) permission model. Additionally, organizations should:
This discovery underscores the importance of understanding the nuances of cloud security configurations.
While Microsoft has updated its documentation, the incident highlights the need for continuous vigilance and regular security audits in cloud environments.
BADBOX is a cybercriminal operation infecting Android devices like TV boxes and smartphones with malware… Read More
KEY SUMMARY POINTS Google Calendar Targeted: Hackers are exploiting Google Calendar’s features to send phishing… Read More
Joseph Cox, author of the 2024 book “Dark Wire: The Incredible True Story of the… Read More
Dec 19, 2024Ravie LakshmananMalware / Botnet Juniper Networks is warning that Session Smart Router (SSR)… Read More
Dec 19, 2024Ravie LakshmananMalware / Botnet Juniper Networks is warning that Session Smart Router (SSR)… Read More
The Crown Commercial Service’s (CCS) decision to increase its cloud hosting spend with Amazon Web… Read More