Summary
Azure iPaaS services, such as Logic Apps, separate the Control Plane (management) from the Data Plane (execution), but a flaw in this model enabled undetectable data harvesting.
An attacker with Azure Reader access to workflow run history can silently extract sensitive data from executions, including secrets and API responses. This is possible because execution details are exposed via the Control Plane, bypassing Data Plane access controls.
The root cause of this issue is the unintended exposure of runtime data through metadata endpoints, which could allow an attacker to passively collect information without triggering alerts or requiring direct execution privileges.
Affected Services
LogicApps
Remediation
Reduce scope and usage of the Reader role. Assign it via PIM for JIT rather than standing Access. Consider creation of custom roles instead of Reader.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/goldjg
Entry Status
Finalized
Disclosure Date
Thu, Dec 26th, 2024
Exploitablity Period
Ongoing
Known ITW Exploitation
-
Detection Methods
Undetectable, as the required logs are not available to Azure customers (as confirmed by Microsoft).
Piercing Index Rating
-
(PI:1.6)
Discovered by
Graham Gold
