Azure Cloud Configuration Review – Source:www.hackerone.com

Testing Methodologies

HackerOne’s Microsoft Azure testing methodologies are grounded in the principles of the PTES, CIS Microsoft Azure Benchmarks, and the Azure Well-Architected Framework Pillar. Additionally, our testing processes adhere to the standards required for CREST certification/accreditation, ensuring comprehensive and reliable assessments across various cloud environments, including Microsoft Azure. Organizations can now better protect against risk and attacks with highly skilled experts with specialized, proven expertise in vulnerabilities specific to the products and services in your Azure cloud environment.

Common Vulnerabilities

Microsoft Azure operates with a Shared Responsibility Model that outlines the division of security responsibilities between Microsoft and its customers. The division of areas of responsibility vary based on the deployment type: Software as a Service (SaaS), Platform as a Service (Paas), and Infrastructure as a Service (IaaS). Though, with any deployment, customers are responsible for the security of their data, devices, and accounts. With the vast number of potential combinations of Azure services and their configurations, it can be easy to overlook vulnerabilities that can arise from misconfigurations.

Entra ID Misconfigurations

Entra ID, (formally known as Azure Active Directory) is the Identity and Access Management (IAM) service for Microsoft’s cloud environments. Users in Entra ID can be both internal and external to your organization. If audits are not regularly performed, guest credentials could exist past their time of necessity, which is a possible entry point for compromise. Furthermore, additional IAM misconfigurations can occur.

Outside of the cloud, local Active Directory (AD) runs on servers known as Domain Controllers (DC). Each DC contains a list of entities that are authorized to access network resources. In order to authenticate, users use the Kerberos or NTLM protocols.

Your self-hosted AD can be synchronized to this cloud variant using Entra Connect Sync. This on-premise and cloud combination is referred to as a hybrid. If your organization uses a hybrid authentication model using the pass-through or federated methods, any publicly exposed passwords are reported but only if the password hash synchronization feature is explicitly enabled.

Multi-factor authentication (MFA) must also be enabled, as the default configuration settings do not enforce it. This should be applied to the Service Management API and all user accounts.

Additionally, there are two group types within Entra ID: Security and M365. The creation of these groups should be restricted to administrators only. By creating groups, you can organize users within your cloud environment by department and give them access to shared resources. By default when an M365 group is created, it is set to public. This public state can lead to users sharing sensitive information with a wider audience than intended. It is vital to secure connected IAM systems in both Azure and on premise systems to prevent attackers from exploiting a misconfiguration to pivot from one IAM system to the other. Security is only as strong as the weakest link.

Microsoft RBAC Misconfigurations

Managing who has access to Azure resources, what actions can be taken against them, and what areas of the cloud can be accessed is achieved through Role Based Access Control (RBAC). By assigning a role to a user, user group, or service – fine-grained access control measures can be implemented. Role assignments consist of three elements: a security principle, role definition, and scope. The security principle identifies the entity that a collection of permissions referred to as a role definition applies to. Once a role definition is assigned to a security principle, a scope can be applied that defines the resources and services that are allowed to be accessed.

While several built-in roles are provided, misconfigurations can arise when creating custom roles. For example, the use of wildcard characters (*) grants access to all available actions that can be executed on a resource. In the absence of supplied NotActions that explicitly specify actions that cannot be performed, wildcard characters can lead to unauthorized access to sensitive data and functionality.

Virtual Network Misconfigurations

Virtual Networks provide the means to partition hosts belonging to your organization through subnetting. To ensure members of your organization only have access to the portions of the network that are required to perform their duties, network security groups with stringent rules need to be implemented. The creation of these groups should be restricted to administrators only.

Misconfigurations in security group rules can lead to unauthorized access to hosts and services. The rules are built using multiple parameters, including: the originating source, destination source, protocol, traffic direction, port or port range, and priority level. Even if rules are established, the vast number of possible combinations of these parameters can lead to access oversight.

Additionally, rules are processed in a set priority order. As soon as traffic matches a priority level, processing stops. This means the intended rule may not be enforced if its priority ranking is misconfigured.

Modifications of rules or the complete removal of them only apply to subsequent connections. Any existing connections are not reevaluated. This can also lead to unauthorized access if users who do not meet the updated criteria had prior access to the resource. Misconfigurations in routing tables and forced tunneling settings can also lead to unapproved network access. Attackers can exploit these misconfigurations to access any Azure resource on that network segment.

App Service Misconfigurations

Azure App Service is a Platform-as-a-Service (PaaS) for building, deploying, and scaling web applications and APIs.

Authentication to this service is disabled by default on new web applications, allowing anonymous access. Once enabled, this feature enforces authentication on all HTTP requests before they reach the application code. Because anonymous access by default is insecure, additional configuration hardening is required.

Azure Function Apps default to public access but can be restricted to Azure Virtual Networks (VNets) for enhanced security. Unless absolutely necessary, public access should be limited using private endpoints to prevent unauthorized access. Functions should use access keys and not be configured using accounts with administrative privileges. It is vital to restrict and harden access in accordance with the Principle of Least Privilege.

Azure Web Apps support both HTTP and HTTPS protocols, with HTTP access being allowed by default. All traffic should be redirected to use the secure variant of the protocol to provide secure encrypted communication.

Advisor Misconfigurations

The Azure Advisor service provides detailed, actionable recommendations that can improve the security of your organization’s cloud environment. By default, all recommendations are enabled. However, with the appropriate permission levels, configurations can be made in order to exclude recommendations based on subscriptions or resources. Recommendations can also be postponed or dismissed on a single resource. If recommendations are dismissed, they will not be seen again unless manually reactivated. Forgotten recommendations that were dismissed or disabled entirely can lead to a lack of awareness regarding critical security issues, leaving your environment vulnerable to exploitation.

Activity Log Misconfigurations

Microsoft’s Azure Monitor collects and aggregates data from every area and resource across your Azure environment. The Activity Log maintains an audit trail of activity events taken within the environment that is crucial for threat monitoring and incident response processes. It is vital to ensure that alerts for critical events such as “Delete PostgreSQL Database” are enabled to provide immediate awareness of significant changes to your environment. 

Virtual Machine Misconfigurations

Virtual Machines (VMs) are scalable computing resources provided by Microsoft that allows users to run applications and workloads in the Azure cloud.

Misconfigured rules such as “install approved extensions only” and  “enable automatic OS upgrades” can lead to vulnerabilities. Since extensions run with administrator privileges, the use of vulnerable extensions can result in privilege escalation and remote execution attacks. Also, outdated operating systems can contain known vulnerabilities just awaiting exploitation. Additionally, VMs should be configured to use managed disk volumes encrypted with a managed key. This also applies to unattached disks in the subscription.

Blob Storage Misconfigurations

Microsoft Azure offers various different storage services. The Blob Storage service is able to hold massive amounts of unstructured data such as text and binary data in a network of remote servers. By default, any files uploaded to the cloud are set to private. However, improper access configurations can lead to unauthorized access to sensitive data.

In Azure, unique namespaces for your data are known as storage accounts. Within these accounts, blob files are organized in containers, similar to how files are stored in directories. Each blob can be accessed via a URL that all share the same format of: https://[storage-account].blob.core.windows.net/[container-name]/[blob-name]

Since the storage account name is the only dynamic part of the URL, any containers that are unintentionally set to the “Public read access for container and its blobs” access level, can be easily enumerated and their contents can be read.

A dictionary attack would not be very effective in enumerating file names unless they were generically named. However, a List Blobs API call can be issued, that is a GET request to https://[storage-account].blob.core.windows.net/[container-name]?restype=container&comp=list to enumerate the blobs in a publicly accessible container. If these containers were supposed to be protected, this can lead to unauthorized access to critical data.

Additionally, vulnerabilities can arise in the absence of the “enable immutable blob storage” rule, which allows users to store critical data in a state that disables the modification and deletion of data for a specified amount of time.

Azure Database Service Misconfigurations

Azure offers a number of different database options for data storage in the cloud. Encryption both at rest as well as in transit is vital to ensuring sensitive data is not accessed or intercepted by unauthorized third parties. Robust auditing and logging measures are also a critical aspect to allow your organization to quickly identify and respond to potential data theft.

As a best practice, separate accounts should be used for database access. This limits the potential threat an account could pose in the event it is compromised. The principle of least privilege and a zero trust security model should be foundations when addressing who has access to your organization’s database services. By taking a defense-in-depth approach in regard to database security, you can iteratively harden against data breaches through the use of firewalls at differing levels, access management policies, encryption, regular auditing, and threat detection tooling.

Azure Key Vault Misconfigurations

The secure storage and accessibility of secrets within your Azure environment can be accomplished using Azure Key Vault.

Proper key vault-specific RBAC implementations and the delineation of key vaults are vital to limiting secret access to only those who have the required permission levels and need to access them. Any user accounts that do meet these requirements should have MFA enabled as their privileged roles pose a greater risk to an organization should they be compromised. Data could be permanently lost if a threat actor were to gain access to one of these accounts in the absence of soft-delete and purge protection configurations.

Automatic key rotation should be enabled in your organization’s key policy. This rotation type will automatically renew a key at configured intervals which mitigates against access to secrets by members who may have had their access revoked or no longer belong to your organization.

Key vaults should be configured to only allow connections through private endpoints. Misconfigurations can increase your organization’s attack surface by facing the vaults publicly. Additionally, it is crucial to enable logging on key vaults in order to assess for suspicious access and activate response processes.

Azure Defender Misconfigurations

Defender is a cloud-native application protection platform (CNAPP) that provides a suite of security measures and practices. Designed to improve your organization’s security posture, Defender assists in identifying vulnerabilities across your entire attack surface.

Defender should be enabled for all of your organization’s resources and services, including those on-premise as well as on different cloud providers. This security tool is able to provide a comprehensive level of hardening to your assets, but only if it is aware of them to begin with. Defender will provide security recommendations in order to remediate security gaps that it identifies. For example, Defender will alert you of any software updates that should be applied to virtual machines. Misconfigured exemptions to handle these suggestions can result in assets being left in a vulnerable state.

Azure Configuration Review Best Practices

Careful Scoping

Having the right scope is crucial to a successful pentest—what is being tested can be just as important as how it is being tested. An Azure environment can be vast, with various resources and services distributed throughout.

By strategically selecting targets within your cloud environment, you can ensure quality time is dedicated to your most critical cloud assets. This curation can mean the difference between an inconsequential configuration review and a valuable review that discovers high-impact vulnerabilities. HackerOne assesses your assets to provide guidance on which ones to include and delivers a quote tailored to your specific requirements.

Skills-Based Tester Matching

Traditional consultancies often rely on in-house pentesters with general skills. However, Azure pentesting requires specialized knowledge of the environment and cloud security practices.

With HackerOne Pentest, delivered via a Pentest as a Service (PTaaS) model, customers gain access to a diverse pool of elite, vetted security researchers who bring a wide range of skills, certifications, and experience specific to Microsoft Azure. The HackerOne platform keeps track of each researcher’s skill set based on their track record and matches the most suitable researchers for each engagement. The community-driven PTaaS approach delivers comprehensive coverage, versatility, and the highest-quality results tailored to the services of your Azure environments.

Case Study: Microsoft’s Own Misconfiguration

In October of 2022, Microsoft confirmed that an Azure Blob Storage that contained 2.4 terabytes of sensitive data was left exposed due to a misconfiguration. Over 300,000 emails, 133,000 projects, and the information of 548,000 users belonging to 65,000 companies were publicly accessible. Included in this data were items such as invoices, intellectual property, and internal comments. 

The misconfigured bucket was maintained and owned by Microsoft themselves and the company only became aware of the issue after being notified of the vulnerability by threat intelligence provider SOCRadar. After receiving the notification, the technology giant resolved the issue by reconfiguring the storage bucket to a private state. Although there was no indication of unauthorized access, it was just a matter of luck that threat actors did not notice and access this misconfigured bucket first.

Why HackerOne PTaaS Is the Best Option for Azure Cloud Review

By choosing HackerOne as your partner in pentesting, your organization can fully benefit from the community-driven pentest-as-a-service (PTaaS) model that provides unmatched expertise and resources for Azure Security Configuration pentests. The HackerOne platform streamlines the entire pentest process to deliver the greatest return on investment in risk reduction.

By leveraging the people and the technology, your organization gains the following advantages:

• Comprehensive Azure Security Configuration Reviews: Access pentesters with deep expertise in auditing and improving Azure cloud configurations to secure your cloud infrastructure against vulnerabilities.
• Efficient Program Initiation: Experience rapid program setup with direct communication channels to testers, ensuring on-demand delivery of findings.
• Streamlined Pentest Management: Utilize the HackerOne Platform for pentest management, including a bi-directional Azure DevOps integration to align development and security teams, reducing manual back-and-forth communication. The result is a streamlined security vulnerability remediation workflow.
• Extended Attack Surface Coverage: Our diverse community of security researchers excels in uncovering misconfigurations and vulnerabilities unique to Azure environments, enabling comprehensive security audits without the need to switch vendors.

Contact the HackerOne team today to get started!