Azure Key Vault Vulnerabilities Could Leak Sensitive Data After Entra ID Breach
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A detailed walkthrough demonstrates how attackers can manipulate Azure Key Vault’s access policies after compromising Entra ID (formerly Azure AD) credentials.
According to Faran Siddiqui, a penetration tester report, a “Key Vault 06 – Abuse Decryption Key,” shed light on this critical vulnerability and the technique involving AzureAD CLI and Microsoft Graph API.
The breakdown stems from “Key Vault 06 – Abuse Decryption Key,” a security lab scenario focused on helping red team testers and penetration testers understand potential threats in the Azure Key Vault ecosystem.
How Does the Attack Works
The attack scenario begins with an attacker gaining access to compromised Azure credentials. Using PowerShell commands, the attacker logs into the Azure environment, establishes connections to Microsoft Graph API via tokens, and enumerates accessible resources.
Access to Azure Resources:
The attacker initiates the compromise by running the following commands:
$passwd = ConvertTo-SecureString "" -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential("", $passwd) Connect-AzAccount -Credential $creds $Token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token Connect-MgGraph -AccessToken ($Token | ConvertTo-SecureString -AsPlainText -Force)
These steps authenticate the attacker and prepare them to enumerate Azure resources.
Discovering the Key Vault:
The Get-AzResource Command reveals a list of resources accessible to the compromised account.
Among them is an Azure Key Vault. Using Burp Suite, it was observed that a GET request to the management endpoint retrieves the data in JSON format:
https://management.azure.com/subscriptions//resources?api-version=2021-04-01
This response identifies the Key Vault’s name (e.g., aszlytkq347).
Testing Permission Restrictions:
Attempting to list secrets using Get-AzKeyVaultSecret confirms that the compromised account lacks the necessary permissions. Similar restrictions apply when trying to fetch secrets using REST API calls:
https://.vault.azure.net/secrets?api-version=7.0
Enumerating Available Keys:
The attacker shifts focus to enumerating cryptographic keys stored in the Key Vault using:
Get-AzKeyVaultKey -VaultName
This command retrieves information about stored keys, revealing their algorithms, types, and versions. Requests to endpoints such as /keys and /keys/ expose metadata about the keys.
Decrypting Sensitive Data:
With access to at least one RSA key and its associated version, the attacker leverages the decryption feature by combining the compromised information with the provided decryption key (given at the start of the lab). Using the Invoke-AzKeyVaultKeyOperation command, they decrypt sensitive data as follows:
$encryptedBytes = [Convert]::FromBase64String('') $DecryptedData = Invoke-AzKeyVaultKeyOperation -Operation Decrypt -Algorithm RSA1_5 -ByteArrayValue $encryptedBytes -VaultName -Name [system.Text.Encoding]::UTF8.GetString($DecryptedData.RawResult)
This converts encrypted Base64 strings into readable UTF-8 text, thereby exposing sensitive contents.
Burp Suite Observations:
Burp Suite logs reveal a POST request to the endpoint:
/keys///decrypt?api-version=7.5-preview.1
The request body includes the encrypted content (Base64) sent for decryption, with the Key Vault responding with the plain-text result.
The blog highlights critical security oversights in access policy configurations and the reliance on compromised credentials. Attackers abusing key decryption processes underlines the importance of enforcing robust Role-Based Access Control (RBAC) permissions and auditing Azure activity logs for suspicious behavior.
Mitigation Steps
Enterprise Security recommends the following measures to safeguard Azure Key Vaults from such attacks:
This insightful walkthrough highlights ongoing challenges in securing cloud environments, particularly Azure. The alarming ease with which access policies can be exploited stresses the need for organizations to treat cloud security as a continuous process.
#Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Azure Key Vault Vulnerabilities Could Leak Sensitive Data After Entra ID Breach
Author: Balaji NA detailed walkthrough demonstrates how attackers can manipulate Azure Key Vault’s access policies after compromising Entra ID (formerly Azure AD) credentials.
According to Faran Siddiqui, a penetration tester report, a “Key Vault 06 – Abuse Decryption Key,” shed light on this critical vulnerability and the technique involving AzureAD CLI and Microsoft Graph API.
The breakdown stems from “Key Vault 06 – Abuse Decryption Key,” a security lab scenario focused on helping red team testers and penetration testers understand potential threats in the Azure Key Vault ecosystem.
How Does the Attack Works
The attack scenario begins with an attacker gaining access to compromised Azure credentials. Using PowerShell commands, the attacker logs into the Azure environment, establishes connections to Microsoft Graph API via tokens, and enumerates accessible resources.
Access to Azure Resources:
The attacker initiates the compromise by running the following commands:
$passwd = ConvertTo-SecureString "" -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential("", $passwd) Connect-AzAccount -Credential $creds $Token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token Connect-MgGraph -AccessToken ($Token | ConvertTo-SecureString -AsPlainText -Force)
These steps authenticate the attacker and prepare them to enumerate Azure resources.
Discovering the Key Vault:
The Get-AzResource Command reveals a list of resources accessible to the compromised account.
Among them is an Azure Key Vault. Using Burp Suite, it was observed that a GET request to the management endpoint retrieves the data in JSON format:
https://management.azure.com/subscriptions//resources?api-version=2021-04-01
This response identifies the Key Vault’s name (e.g., aszlytkq347).
Testing Permission Restrictions:
Attempting to list secrets using Get-AzKeyVaultSecret confirms that the compromised account lacks the necessary permissions. Similar restrictions apply when trying to fetch secrets using REST API calls:
https://.vault.azure.net/secrets?api-version=7.0
Enumerating Available Keys:
The attacker shifts focus to enumerating cryptographic keys stored in the Key Vault using:
Get-AzKeyVaultKey -VaultName
This command retrieves information about stored keys, revealing their algorithms, types, and versions. Requests to endpoints such as /keys and /keys/ expose metadata about the keys.
Decrypting Sensitive Data:
With access to at least one RSA key and its associated version, the attacker leverages the decryption feature by combining the compromised information with the provided decryption key (given at the start of the lab). Using the Invoke-AzKeyVaultKeyOperation command, they decrypt sensitive data as follows:
$encryptedBytes = [Convert]::FromBase64String('') $DecryptedData = Invoke-AzKeyVaultKeyOperation -Operation Decrypt -Algorithm RSA1_5 -ByteArrayValue $encryptedBytes -VaultName -Name [system.Text.Encoding]::UTF8.GetString($DecryptedData.RawResult)
This converts encrypted Base64 strings into readable UTF-8 text, thereby exposing sensitive contents.
Burp Suite Observations:
Burp Suite logs reveal a POST request to the endpoint:
/keys///decrypt?api-version=7.5-preview.1
The request body includes the encrypted content (Base64) sent for decryption, with the Key Vault responding with the plain-text result.
The blog highlights critical security oversights in access policy configurations and the reliance on compromised credentials. Attackers abusing key decryption processes underlines the importance of enforcing robust Role-Based Access Control (RBAC) permissions and auditing Azure activity logs for suspicious behavior.
Mitigation Steps
Enterprise Security recommends the following measures to safeguard Azure Key Vaults from such attacks:
- Restrict Key Vault Permissions: Ensure that limited users or service principals are granted Key Vault access, particularly for decryption or key management operations.
- Enable Managed Identities: Use Managed Identities for an extra layer of security instead of static credentials.
- Audit Logs and Alerts: Monitor logs for unusual activity in the Azure Key Vault, particularly POST requests to /decrypt endpoints.
- Enable Conditional Access Policies: Implement Conditional Access to restrict login attempts from suspicious IPs or regions.
- Regular Key Vault Reviews: Periodically review and rotate keys, ensuring no stale or unauthorized keys exist.
This insightful walkthrough highlights ongoing challenges in securing cloud environments, particularly Azure. The alarming ease with which access policies can be exploited stresses the need for organizations to treat cloud security as a continuous process.
#Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
