medium

Logic Apps privilege escalation to root

Published Wed, Mar 9th, 2022

Platforms

Summary

Azure Logic Apps use API Connections to authenticate actions to services. Having Contributor access to an Azure Resource Manager (ARM) API Connection would allow someone to create arbitrary role assignments as the connected user. This was supposed to be limited to actions at the Resource Group level, but an attacker could escape to the Subscription or Root level with a path traversal payload. The root cause of this behavior was that such a payload would meet the Swagger API definition, and it would be resolved by the server, resulting in a request to an unintended scope.

Affected Services

Azure Logic Apps

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-logic-app-contributor-escalation-to-root-owner/

Contributed by https://github.com/mer-b

Entry Status

Finalized

Disclosure Date

Tue, Mar 1st, 2022

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

6.21

(PI:1.5/A3:1.05/A4:1.05/A5:1.05/A6:8/A7:1.1/A8:0.9)

Discovered by

Josh Magri, NetSPI

More vulnerabilities...

medium

Autopilot node compromise via allowlisted workload masquerade

Unit 42 researchers disclosed several vulnerabilities and attack techniques in GKE Autopilot to Google, the root cause being insufficient verification of allowlisted workload image names. An attac...

Yuval Avrahami, Palo AltoMar 8, 2022

critical

AutoWarp

An exposed endpoint in the Azure Automation Service allowed to steal Azure API credentials from other customers

Yanir Tsarimi, Orca SecurityMar 7, 2022

medium

Google Cloud Armor packet size bypass

Cloud Armor has a documented limitation of 8 KB as the maximum size of web request that it will inspect. The default behavior of Cloud Armor in this case can allow oversized malicious requests to b...

Karan Saini, Riyaz Walikar,...Feb 24, 2022

View all