Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Cloud Security

Microsoft Azure Users Warned of Potential Shared Key Authorization Abuse

Microsoft Azure shared key authorization can be exploited to access business data and achieve remote code execution.

An exploitation path involving Azure shared key authorization could allow full access to accounts and business data and ultimately lead to remote code execution (RCE), cloud security company Orca warns.

Along with Azure Active Directory (Azure AD) credentials, shared keys represent one of the authorization methods that Microsoft Azure Storage accounts can take advantage of, and is part of Azure infrastructure by default.

Compared to Azure AD, shared keys provide inferior security, and Microsoft recommends not using storage authorization via access keys when granular access is required, as that would expose organizations to risks.

The attack scenario that Orca has discovered represents further proof of these risks and underlines the need for organizations to disable shared key authorization as a security best practice.

By default, Azure generates two 512-bit storage account access keys for any newly created account. Because these keys are like root passwords for that account, anyone in the possession of these keys can abuse shared key authorization to obtain access to a storage account.

“With this key, obtained either through a leakage or appropriate AD role, an attacker can not only gain full-access to storage accounts and potentially critical business assets, but also move laterally in the environment and even execute remote code,” Orca notes.

The company’s investigation revealed that access key authentication can be used to perform more actions than defined by the permissions Azure accounts are given to ensure their access to the data they require.

Advertisement. Scroll to continue reading.

Specifically, an Azure Storage account with permissions to read data objects may also be able to modify and delete data, Orca says.

Furthermore, the company discovered that a compromised Storage account can be abused to exfiltrate a higher-privileged identity and then abuse it to move laterally and to deploy and execute a reverse shell in virtual machines, using specific API calls.

The main issue here, Orca notes, is the level of access that an attacker could gain by compromising an Azure Storage account or by obtaining their access keys, combined with the fact that, once inside the environment, the attacker can access data and perform malicious actions without being detected.

Despite the potential risks associated with shared keys, however, the feature cannot be removed from Azure “without making significant changes to the system’s design,” Orca was told.

Applying the principle of least-privilege mitigates the risks associated with this exploitation scenario, as does completely disabling shared key authorization in Azure.

Microsoft has published a blog post detailing best practices, as well as the steps that the company is taking to move away from shared key authorization. 

Related: Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution

Related: CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services

Related: Azure Services SSRF Vulnerabilities Exposed Internal Endpoints, Sensitive Data

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...