TL;DR
Token Security researchers have discovered several Azure built-in roles that are misconfigured to be over-privileged - they grant more permissions than intended by Azure.
In addition, we discovered another vulnerability in the Azure API that allows attackers to leak VPN keys.
Combined, these two issues create a new attack chain that lets a weak user gain access to both internal cloud assets and on-premises networks.
In this report, we detail the research process that led to the discoveries, their implications, and what organizations can do to stay safe against these threats and other identity-driven attacks.
What is Azure RBAC?
Before jumping in, let’s discuss some basics.
Azure’s permissions model, Azure RBAC (Role-Based Access Control), is, as the name states, based on roles.
Roles are basically groups of permissions that can be assigned to principals (users, service principals, groups, etc). When granting a role to a principal, you create a role assignment.
Every role assignment contains three main components:
... continue reading