U.S. Cybersecurity Agency Identifies and Adds Six Exploited Vulnerabilities to Known Flaws Catalog
U.S. Cybersecurity Agency Identifies and Adds Six Exploited Vulnerabilities to Known Flaws Catalog
The flaw was first discovered by researchers from Wiz, a cloud security firm, who were conducting a routine scan of cloud infrastructure. They found that an authentication key for a storage account was being exposed due to the "by-design" flaw. The researchers were able to access the storage account and download data without the need for a valid login credential.
According to Wiz researchers, this flaw is particularly alarming because it affects all Azure customers who use storage accounts. These accounts are commonly used to store and manage data for various purposes, such as application data, backups, and logs.
The researchers said that the flaw lies in how Azure generates and manages keys for storage accounts. When a new storage account is created, Azure generates two access keys that can be used to authenticate and authorize access to the storage account. These keys are then stored in a secure vault managed by Azure.
However, when one of the access keys is regenerated or rolled over, the old key is not immediately deleted from the secure vault. Instead, it is marked for deletion and kept in the vault for 7 days before being permanently deleted. During this 7-day period, the old key can still be used to access the storage account, even though it has been replaced by a new key.
This "by-design" behavior creates a window of opportunity for hackers to access storage accounts using old keys that have not yet been permanently deleted. They can do this by either stealing the old key or intercepting it when it is transmitted over the network.
To exploit this flaw, a hacker would need to have access to the old key and know the name of the storage account. However, Wiz researchers said that these requirements are not particularly difficult to meet. For example, a malicious insider could steal the old key and sell it on the dark web, or a hacker could use a technique called a "man-in-the-middle" attack to intercept the old key as it is transmitted over the network.
Microsoft has acknowledged the flaw and said that it is working on a fix. In a statement, the company said, "We are aware of this issue and are working to address it. We have no indication that this technique has been used in the wild. Customers can help protect themselves by regenerating their storage account keys and following our security guidance."
However, Wiz researchers said that regenerating access keys does not solve the problem, as the old keys will still be kept in the secure vault for 7 days. They recommended that Microsoft change its "by-design" behavior and delete old keys immediately when new keys are generated.
This discovery has raised concerns about the security of cloud infrastructure and the growing reliance on cloud services for storing and managing sensitive data. With the increasing adoption of cloud services, it is more important than ever for cloud providers to prioritize security and take proactive measures to protect their customers' data.
In conclusion, the newly discovered "by-design" flaw in Microsoft Azure's storage accounts is a serious security issue that could potentially expose sensitive data to hackers. While Microsoft is working on a fix, customers should take proactive measures to protect themselves, such as regenerating access keys and following security guidance. This discovery highlights the need for cloud providers to prioritize security and take proactive measures to protect their customers' data.
