Microsoft has fixed a bug in the Azure Automation service that could have allowed one account owner to access another customer's accounts using the same service.
Azure Automation lets customers automate cloud management tasks or jobs, update Windows and Linux systems, and automate other repetitive tasks.
According to security firm Orca, the bug, which it reported to Microsoft on December 6, allowed a potential attacker on the service to "gain full control over resources and data of a targeted account, depending on the permissions of the account."
SEE: What is cloud computing? Everything you need to know about the cloud explained
Orca researcher Yanir Tsarimi says the flaw he found allowed him to interact with an internal Azure server that manages the sandboxes of other customers.
"We managed to obtain authentication tokens for other customer accounts through that server. Someone with malicious intentions could've continuously grabbed tokens, and with each token, widen the attack to more Azure customers," explains Tasrimi.
Microsoft has clarified that only Azure Automation accounts that used Managed Identities tokens for authorization and an Azure Sandbox for job runtime and execution were exposed.
However, Orca also notes that the Managed Identities feature in an Automation account is enabled by default.
Microsoft says it had not detected evidence that tokens had been misused and has notified customers with affected Automation accounts.
According to Orca, on December 7 it discovered several large companies were potentially at risk, including "a global telecommunications company, two car manufacturers, a banking conglomerate, big four accounting firms, and more."
Microsoft explains that an Azure automation job can acquire a Managed Identities token for access to Azure resources. The scope of the token's access is defined in Automation Account's Managed Identity.
"Due to the vulnerability, a user running an automation job in an Azure Sandbox could have acquired the Managed Identities tokens of other automation jobs, allowing access to resources within the Automation Account's Managed Identity," Microsoft Security Response Center (MSRC) notes.
Azure Automation accounts that use another Automation Hybrid worker for execution and/or Automation Run-As accounts for access to resources weren't impacted.
Microsoft mitigated the issue on December 10 by blocking access to Managed Identities tokens to all sandbox environments except the one that had legitimate access, MSRC explains.