Summary
When the ASR service is enabled, it uses an Automation Account with a System-Assigned Managed Identity
to manage Site Recovery extensions on VMs. However, the Runbook (a set of scripts for managing extensions)
executed by the Automation Account had its job output visible to users, and this output mistakenly included
a cleartext Management-scoped Access Token for the System-Assigned Managed Identity, which possesses the
Contributor role over the entire Azure subscription. Therefore, lower-privileged user roles who could access
the Automation Account's job output could see and use this Access Token. This access allowed these users to
impersonate the Managed Identity, thereby elevating their privileges to that of a Contributor for the whole
subscription, including the ability to execute commands on VMs as `NT Authority\\SYSTEM`.
Affected Services
Azure Site Recovery (ASR)
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/mer-b
Disclosure Date
Tue, Jan 9th, 2024
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Joshua Murrell, NetSPI
