Stay updated with breaking news from Service principal. Get real-time updates on events, politics, business, and more. Visit us for reliable news and exclusive interviews.
KINGSTON, Jamaica - Meteorological (Met) Service of Jamaica has launched a poster competition to mark this year’s observance of World Meteorological Day, which is commemorated annually on March 23. T...
Managed Identity Attack Paths, Part 3: Function Apps securityboulevard.com - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from securityboulevard.com Daily Mail and Mail on Sunday newspapers.
Intro and Prior WorkIn this three part blog series we are exploring attack paths that emerge out of Managed Identity assignments in three Azure services: Automation Accounts, Logic Apps, and Function Apps.In part 1 we looked at how attack paths emerge out of Automation Account configurations. In part 2 we are looking at Logic Apps.Managed Identity assignments are an extremely effective security control that prevent the accidental exposure of credentials by removing this requirement to store or use credentials in the first place. Instead of storing and sending credentials, Azure knows that your script is allowed to authenticate as a specific Service Principal.You should absolutely be using Managed Identity assignments in Azure instead of storing or accessing credentials.But Managed Identities introduce a new problem: they can quickly create identity-based attack paths in Azure that may lead to escalation of privilege opportunities. In this series we will explore how those attack paths emerge, how they can be practically abused by an attacker, and how we as defenders can discover, mitigate, and prevent the future emergence of those attack paths.Prior work involving abusing or exploiting Logic Apps:Josh Magri wrote all about various ways to abuse both Reader and Contributor level rights against a Logic App in August of 2021Josh Magri reported a serviceable privilege escalation vulnerability involving Logic Apps to MSRC in March of 2022.Christopher Brumm wrote a very good, very in-depth post all about the security considerations surrounding Logic Apps in February of 2021What are Logic Apps?Logic Apps are another Azure service falling under the general umbrella of “Azure Automation”. Admins can use Logic Apps to construct what are called “workflows”. Workflows are comprised of triggers and actions that occur as a result of those triggers.Here’s a very basic example. In this Logic App I’m using the visual designer to first define a trigger — an HTTP POST, in this example. When the Logic App receives a POST to that URL, it will then take the “name” input and return a body saying, “Hello, <name>!”We can test the workflow right here in the GUI. We’ll say that our name is “David” in the “Input” tab and submit the request:Then we’ll see the result, “Hello, David!” in the “Output” tab:Logic Apps of course allow for much more complex and powerful workflows than this, including workflows where the actions may need to authenticate to some other service to perform a privileged action. And that’s where Managed Identities and Service Principals enter the picture.Logic Apps and Service PrincipalsLogic Apps are great for automating tasks. But what if that task requires some sort of privilege to perform? For example, what if instead of saying “Hello, David!”, we want to grant David some Azure admin role?Enter Managed Identities. As discussed in the introduction of this blog post, Managed Identities are a fantastic way to securely, automatically authenticate as a service principal without needing to store or retrieve credentials. Enabling a Managed Identity for a Logic App couldn’t be easier. Just click “Identity” under “Account Settings” and toggle the “Status” option from “Off” to “On”, then click “Save”:Let’s start thinking of these things in the form of a graph and how the various objects fit into a hierarchy. Our Logic App, “MyExampleLogicApp”, has a Managed Identity assignment to the service principal whose object ID starts with “faf5c7…”:As you can see, the Logic App finds itself within the greater hierarchy of AzureRM and AzureAD. The Service Principal associated with the Logic App does not have any privileges by default. Let’s give this Service Principal some privileges and try to stay without the bounds of least privilege by giving it “Contributor” access on the subscription the Logic App resides in. This would let the Service Principal create and manage resources in this subscription:As configured, this setup doesn’t introduce any privilege escalation opportunities: if an attacker gains control of either the Service Principal or Logic App, they’re just stuck in a loop. Let’s flesh this environment out a bit more by adding another subscription and some more descendent objects, including a Function App in another resource group:Let’s also grant “My Cool Function App” an identity it can authenticate as, and this time we’re going to grant its associated Service Principal Global Admin (or understand that it can escalate itself to Global Admin):And now have have created a privilege escalation opportunity — if an attacker gains control of “MyExampleLogicApp” or its associated Service Principal, they will be able to escalate up to Global Administrator, gaining control of everything in the Azure environment:Abusing Logic App Managed Identity AssignmentsIf an attacker has sufficient privilege to create or edit an existing workflow, they can turn that into control of the Service Principal, gaining whatever privileges the Service Principal holds. These Azure role assignments allow for creating or editing an existing workflow:OwnerContributorLogic App ContributorAdditionally, the following privilege allows one to grant themselves any of the above role assignments against the Logic App:User Access AdministratorThere are several ways to tackle this problem, but for me the most straight-forward abuse is to extract a JSON Web Token (JWT) for the Service Principal, then use that JWT to authenticate as the Service Principal outside the scope of the Logic App. Using the Azure Portal GUI, we will modify an existing workflow to include the following action:This action will make a POST request to my evil attacker-controlled web server at 159.223.206.196:8000. That evil web server is running a Python SimpleHTTPServer which will simply print any headers received to the console. At the bottom of the action you can see that the action will attempt to authenticate to my evil server using the Logic App’s system-assigned managed identity.When the workflow runs, this action will get an MS Graph-scoped token for the Logic App’s Managed Identity, then include that token in the authorization header in the POST to my evil server:Now that we have this JWT we can authenticate to MS Graph as the Service Principal, gaining any privileges held by that Service Principal.PreventionThere are several steps you should take, as a defender, to ensure these attack paths do not exist in your Azure environment:Step 1: Audit and Remove Privileges Held by Service PrincipalsYour first step should be to find any service principals that have been granted the most dangerous privileges in Azure. Audit both the active and eligible assignments for the following AzureAD admin roles:Global AdministratorPrivileged Role AdministratorPrivileged Authentication AdministratorYou should also audit for any Service Principals that have been granted any of the following MS Graph app roles:RoleManagement.ReadWrite.DirectoryAppRoleAssignment.ReadWrite.AllIf any service principal has been granted any of the above roles in AzureAD or MS Graph, you should immediately investigate that service principal for existing signs of misuse. You should also remove those role assignments from the service principals, if possible.Step 2: Audit Privileges Held by Other PrincipalsUnfortunately you may not be able to easily or immediately remove privileges that have been granted to a service principal. Your next step then will be to limit the exposure of those highly privileged service principals by auditing the users, groups, and service principals that have been granted any of the following AzureAD admin roles:Application Administrator (including those scoped specifically to the Service Principal)Cloud Application Administrator (including those scoped specifically to the Service Principal)Directory Synchronization AccountsHybrid Identity AdministratorPartner Tier1 SupportPartner Tier2 SupportYou should also audit the explicit owners of service principals you identified in Step 1 that y
In my last blog post, we discussed the need for businesses to adopt distributed development and delivery models in order to bring value to their customers. With the advent of distributed organizations, companies have had to adapt to new ways of both developing and making products available to their consumers. Cloud technologies have come to the forefront in providing solutions that organizations can leverage in order to meet and drive consumer demand.
NOBELIUM targeting delegated administrative privileges to facilitate broader attacks microsoft.com - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from microsoft.com Daily Mail and Mail on Sunday newspapers.
深度专访 | 金地推动轻资产联盟成立,共同赋能代建行业发展 ——凤凰网房产深圳 ifeng.com - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from ifeng.com Daily Mail and Mail on Sunday newspapers.
逆势向上!威海在变局中开拓新局面_威海要闻_威海_齐鲁网 iqilu.com - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from iqilu.com Daily Mail and Mail on Sunday newspapers.