AutoWarp is a critical vulnerability in the Azure Automation service that allows unauthorized access to other Azure customer accounts using the service. Depending on the privileges assigned by the customer, this attack could mean complete control over the target account's resources and data.
Microsoft Azure Automation enables organizations to run automation code in a managed manner. You can schedule jobs, provide input and output, and more. Each company's automation code runs in a sandbox, isolated from other customers' code running on the same virtual machine.
The vulnerability could have caused billions of dollars in damage
Research by Orca Security revealed that several large companies were using the service and could have accessed it. The AutoWarp vulnerability could have caused billions of dollars in damage. Orca reported the critical vulnerability in Azure Automation directly to Microsoft, it is now resolved and all affected customers have been notified.
"We would like to thank Yanir Tsarimi at Orca Security for reporting this vulnerability and working with the Microsoft Security Response Center (MSRC) on the Coordinated Vulnerability Disclosure (CVD) to help keep Microsoft customers safe," explains the Microsoft Security Response Center (MSRC). Before the vulnerability was fixed, companies were vulnerable to AutoWarp if they were using the Azure automation service and had the Managed Identity feature enabled in their automation account (which it is by default). Orca Security has explained the full background to the vulnerability in a blog post.
More at Orca.security
About Orca Security Orca Security delivers out-of-the-box security and compliance for AWS, Azure, and GCP—without the gaps in coverage, alert fatigue, and operational costs of agents or sidecars. Simplify cloud security operations with a single CNAPP platform for workload and data protection, cloud security posture management (CSPM), vulnerability management, and compliance. Orca Security prioritizes risks based on security issue severity, accessibility, and business impact.