Privilege Escalation Flaw Found in Azure Machine Learning Service – Source: www.infosecurity-magazine.com

A critical privilege escalation vulnerability affecting Azure Machine Learning (AML) has been discovered by cybersecurity researchers.

The flaw allows attackers with only Storage Account access to execute arbitrary code within AML pipelines, potentially leading to full subscription compromise under default configurations.

Vulnerability Rooted in Invoker Script Access

The issue, identified by cloud security firm Orca, arises from the way AML stores and executes invoker scripts (Python files that orchestrate ML components) inside an automatically created Storage Account. These scripts, when modified, run with the permissions of the AML compute instance, which often carries broad or highly privileged identities.

In their proof of concept (POC), Orca showed that attackers with basic storage write permissions could:

• Replace invoker scripts to inject malicious code

• Extract secrets from Azure Key Vault

• Escalate privileges using the managed identity of AML compute instances

• Assume the role of the user who created the instance, including “Owner” permissions on an Azure subscription

This attack vector is particularly concerning given that SSO (Single Sign-On) is enabled by default, allowing compute instances to inherit creator-level access.

Microsoft’s Response and Key Mitigations

Microsoft acknowledged Orca’s findings but clarified that this behavior is “by design,” equating access to the Storage Account with access to the compute instance itself.

However, the company has since updated its documentation and introduced a key change – AML now runs jobs using snapshots of component code rather than reading scripts from storage in real time.

Read more on Azure vulnerabilities: Microsoft Azure MFA Flaw Allowed Easy Access Bypass

Although Microsoft does not consider this a security flaw, Orca emphasized that the exploit worked under default and supported settings. They warn that unless users explicitly reconfigure storage access, SSO and managed identities, their environments remain at risk.

To help prevent exploitation, AML users are advised to:

• Restrict write access to AML Storage Accounts

• Disable SSO on compute instances where possible

• Use system-assigned identities with minimal permissions

• Enforce immutability and versioning on critical scripts

• Implement checksum validation for invoker scripts

Orca concluded that while AML’s security model is valid in theory, in practice, it leaves organizations exposed without rigorous access controls.

Regular configuration reviews and adherence to the principle of least privilege remain essential in safeguarding machine learning pipelines.