Purpose
This article highlights a flaw in the design of Microsoft Azure roles that could lead to breaches between control and data planes. If a control plane user's account is compromised, it can be used to access and alter files stored in the storage accounts accessible to them.
Cause
The ListKeys permission allows "control plane" users, who are not supposed to be able to modify data, to list access keys. These access keys can then be used to read and write data to the storage accounts. An example of a role with the ListKeys permissions is Storage Account Contributor.
Example Diagram:
Solution
We strongly encourage customers to review:
Best practices regarding Azure Storage Keys, Azure Functions, and Azure Role Based Access
Recommended Actions for Customers
Veeam's Additional Recommendations:
Limit the number of users that have access to your storage accounts.
Storage accounts used to store sensitive data should be placed in separate resource groups.
More Information
Microsoft Documentation — Best practices regarding Azure Storage Keys, Azure Functions, and Azure Role Based Access
Microsoft Documentation — Recommended Actions for Customers
Orca Security — From listKeys to Glory: How We Achieved a Subscription Privilege Escalation and RCE by Abusing Azure Storage Account Keys
