Vault Recon (Azure KeyVault Secrets Metadata Control Plane Exfiltration)
Published Wed, Feb 26th, 2025
Platforms
Summary
Azure Key Vault enforces a separation between the Control Plane (management) and Data Plane (secrets access). However, a flaw in this isolation allows unauthorized users to enumerate secrets and keys within a vault. By having Reader access or lesser privileges on a Key Vault, an attacker could leverage Azure Resource Explorer to access metadata about stored secrets. This is due to unintended exposure through the Control Plane, which should not provide insight into Data Plane resources. The root cause of this issue is insufficient isolation between the two planes, where metadata retrieval is permitted even when direct access to secrets is restricted. This allows attackers to gain information about sensitive assets without full permissions.
Affected Services
KeyVault
Remediation
Reduce scope and usage of the Reader role. Assign it via PIM for JIT rather than standing Access. Consider creation of custom roles instead of Reader.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/goldjg
Entry Status
Finalized
Disclosure Date
Thu, Dec 19th, 2024
Exploitability Period
Ongoing
Known ITW Exploitation
-
Detection Methods
Use a SIEM detection rule using AzureDiagnostics logs.
Piercing Index Rating
-
(PI:1.6)
Discovered by
Graham Gold
