OPERATIONAL DEFECT DATABASE
...
...
This article highlights a flaw in the design of Microsoft Azure roles that could lead to breaches between control and data planes. If a control plane user's account is compromised, it can be used to access and alter files stored in the storage accounts accessible to them.
The ListKeys permission allows "control plane" users, who are not supposed to be able to modify data, to list access keys. These access keys can then be used to read and write data to the storage accounts. An example of a role with the ListKeys permissions is Storage Account Contributor. Example Diagram:
We strongly encourage customers to review: Best practices regarding Azure Storage Keys, Azure Functions, and Azure Role Based Access Recommended Actions for Customers Veeam's Additional Recommendations: Limit the number of users that have access to your storage accounts. Storage accounts used to store sensitive data should be placed in separate resource groups.
Microsoft Documentation — Best practices regarding Azure Storage Keys, Azure Functions, and Azure Role Based Access Microsoft Documentation — Recommended Actions for Customers Orca Security — From listKeys to Glory: How We Achieved a Subscription Privilege Escalation and RCE by Abusing Azure Storage Account Keys
Veeam Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
