Researchers from Orca Security have found two vulnerabilities in Amazon's AWS and Microsoft's Azure clouds that could have allowed users access to other customers' infrastructure.
Both Amazon and Microsoft fixed the problems before anyone was compromised.
"This is the beauty of the cloud," said Orca security researcher Yanir Tsarimi, who discovered the problems. "If an issue like this is discovered it's fixed by the vendor and customers don’t have to do anything about it. It just gets taken care of."
Tsarimi reported the AutoWarp cross-tenant vulnerability to Microsoft on December 6, he told Data Center Knowledge, and Microsoft patched it four days later.
There was no evidence that any attackers have exploited this vulnerability before it was patched, Microsoft said a statement released on Monday.
Whose tokens are these anyway
According to a report Orca Security published on Monday, there was an authentication flaw in the Microsoft Azure Automation Service, which lets customers create automations for their cloud environments.
Each customer's code runs inside a sandbox, isolated from other customers' code executing on the same virtual machine.
However, the server that manages these sandboxes had a security flaw, and Tsarimi was able to get authentication tokens that belonged to other customers – including a global telecommunications company, two car manufacturers, a banking conglomerate, big four accounting firms, and more.
This was a pretty severe flaw. Since users set up automations to do things in their cloud environment, the automations must have permissions to do those things. If attackers get their hands on the authentication tokens, they can have all that access themselves.
"So if you use the automation to manage virtual machines, an attacker could take the token and interact with your virtual machines," Tsarimi said. "If you allowed full access to the virtual machines, the attacker would have full access."
That could include access to databases, or the ability to spin up new workloads for mining cryptocurrencies.
Attackers could also encrypt things or delete resources, he added.
The lesson here for enterprises is to follow the principle of least privilege, Tsarimi said. With least privilege, resources get only the access to the rights they need, and nothing more, in order to minimize potential risk.
There are also some best practices that customers should be following for security when it comes to Azure Automation, he said.
Microsoft posted the best practices earlier this month, with least privilege being the top recommendation.
The idea that a cloud customer can get access to others' environments sounds scary, said Yoav Alon, CTO at Orca.
But despite the existence of vulnerabilities like AutoWarp, public cloud remains one of the most secure environments for IT workloads.
"And when we found it, it was patched, and customers didn't have to do anything to stop being vulnerable," he said.
By comparison, if a vulnerability is discovered in an on-prem environment, customers have to do all the patching themselves, and it can have a big impact on their operations.
"We think that having the cloud provider fix the issue and audit for malicious activity and notify the customers if anything happened in their account is better than if they had to do everything themselves," Alon said.
The only thing that remains a mystery is how long the AutoWarp vulnerability was in place before Orca discovered it, since that information is only available to Microsoft itself.
"We can only speculate," Alon said. "We don't have definitive answers." But he estimated that it may have been present for between one and two years.
AWS Superglue vulnerability
In January, Tsarimi published a report about a similar cross-tenant vulnerability in the AWS Glue service.
AWS Glue is a data integration service. The same way that Azure Automation gets to have access to customers' cloud environments for the purpose of automating them, AWS Glue gets access to large quantities of data.
Again, Tsarimi was able to get authentication tokens that allowed access to other customers' AWS Glue services.
The Superglue vulnerability was probably even riskier than AutoWarp, he said, but it was also a very complex exploit that required weeks of research.
"Vulnerabilities exist in all software," Alon said. "And we also expect to find vulnerabilities in smaller cloud providers."
Orca plans to conduct similar research on all major cloud providers, he said.