Disclosure of Vulnerability in Azure Automation Managed Identity Tokens

On December 10, 2021, Microsoft mitigated a vulnerability in the Azure Automation service. Azure Automation accounts that used Managed Identities tokens for authorization and an Azure Sandbox for job runtime and execution were exposed. Microsoft has not detected evidence of misuse of tokens.

Microsoft has notified customers with affected Automation accounts. Microsoft recommends following the security best practices here for the Azure Automation service

Description of the Vulnerability

An Azure automation job can acquire a Managed Identities token for access to Azure resources. The scope of the token’s access is defined in Automation Account’s Managed Identity. Due to the vulnerability, a user running an automation job in an Azure Sandbox could have acquired the Managed Identities tokens of other automation jobs, allowing access to resources within the Automation Account’s Managed Identity.

Note: Automation accounts that use an Automation Hybrid worker for execution and/or Automation Run-As accounts for access to resources were not impacted.

Description of the Mitigation

The vulnerability was reported to Microsoft by Orca Security on December 6, 2021. Microsoft mitigated the issue on December 10, 2021, by blocking access to Managed Identities tokens to all sandbox environments except the one that had legitimate access.

We want to thank Yanir Tsarimi of Orca Security who reported this vulnerability and worked with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure (CVD) to help keep Microsoft customers safe.

The MSRC Team