Microsoft Dismisses Azure Security Flaw Report, No CVE Assigned

Recently, a security researcher made claims that Microsoft quietly addressed a vulnerability in Azure Backup for AKS after initially rejecting the report and blocking the issuance of a CVE.

The vulnerability in question was a critical privilege escalation flaw that allowed cluster-admin access from the low-privileged “Backup Contributor” role.

Despite Microsoft’s statement that no product changes were made, the researcher documented new permission checks and failed exploit attempts after disclosure, indicating a potential silent patch.

CERT Confirms Bug, Microsoft Blocks CVE

Security researcher Justin O’Leary discovered the flaw in March and reported it to Microsoft, only to have the report rejected by the Microsoft Security Response Center (MSRC) on the grounds that it required pre-existing administrative access.

O’Leary disagreed with this assessment, highlighting that the vulnerability allowed a user with zero Kubernetes permissions to gain cluster-admin access without the need for existing cluster access.

After escalating the issue to CERT Coordination Center, the vulnerability was validated independently, but Microsoft recommended against assigning a CVE, effectively leaving the final decision to Microsoft as a CNA.

Attack Methodology

Azure Backup for AKS utilizes Trusted Access to grant backup extensions cluster-admin privileges within Kubernetes clusters. The flaw allowed individuals with only the Backup Contributor role to trigger Trusted Access without pre-existing Kubernetes permissions.

By enabling backup on a target AKS cluster, an attacker could automatically configure Trusted Access with cluster-admin privileges, potentially extracting secrets or introducing malicious workloads.

The vulnerability was classified as a Confused Deputy vulnerability (CWE-441), where Azure RBAC and Kubernetes RBAC trust boundaries were exploited to bypass authorization controls.

Changes and Disputes

Microsoft initially denied the existence of a security vulnerability, attributing the behavior to expected actions that required pre-existing administrative privileges. However, following the disclosure, the original attack path no longer functioned, indicating potential changes to address the flaw.

Despite observable fixes, Microsoft did not issue a public advisory or notify customers about the resolution of the vulnerability.

Visibility Challenges for Defenders

Without a CVE or advisory, organizations lacked visibility into the exposure window and remediation timeline, potentially leaving them vulnerable to exploitation. The absence of a CVE hampers security teams’ ability to track and address potential exposures.

The case underscores the challenges in vulnerability disclosure processes, highlighting the need for a framework that incentivizes all parties involved to prioritize timely and effective resolution of security issues.

Automated pentesting tools provide value but may not address all security concerns. Learn about the essential surfaces you need to validate to enhance your security posture.

Download Now