Azure API Vulnerabilities Expose VPN Keys and Grant Over-Privileged Access via Built-In Roles

Token Security experts recently conducted a thorough investigation that exposed serious security weaknesses in Microsoft Azure’s Role-Based Access Control (RBAC) architecture.

Azure RBAC, the backbone of permission management in the cloud platform, allows administrators to assign roles to users, groups, or service principals with predefined permissions at varying scopes, from entire subscriptions to specific resources.

However, the investigation unearthed that several built-in roles intended to provide limited, service-specific access are misconfigured with excessive privileges.

Roles such as Managed Applications Reader and Log Analytics Reader, among a total of 10 identified, grant the overly broad */read permission, effectively mirroring the generic Reader role.

This allows access to sensitive metadata across all Azure resources, far beyond what their descriptions suggest.

Such over-privileging can enable attackers to extract credentials from automation accounts, map network configurations for further exploitation, and uncover critical data in storage accounts or backup vaults, creating a fertile ground for privilege escalation and attack planning.

Exploiting Azure API to Leak VPN Pre-Shared Keys

Compounding the issue, researchers discovered a severe vulnerability in the Azure API that permits the leakage of VPN Gateway pre-shared keys (PSKs) using only read permissions.

Typically, Azure enforces permissions through HTTP method distinctions read-only operations use GET, while sensitive data retrievals are safeguarded with POST requests to block unauthorized access.

However, an oversight in the API design led to the VPN connection shared key retrieval being implemented as a GET request, bypassing intended security controls.

This flaw allows an attacker with minimal read access, often obtained via the aforementioned over-privileged roles, to fetch the PSK for Site-to-Site (S2S) VPN connections.

Armed with this key, a malicious actor could establish a rogue connection, gaining unauthorized entry to internal cloud assets, virtual private clouds (VPCs), and even on-premises networks linked through the Azure VPN Gateway.

This vulnerability transforms a seemingly innocuous read permission into a gateway for deep network infiltration, particularly devastating in hybrid environments where cloud and on-premises systems intersect.

Microsoft’s Response

Upon disclosure, Microsoft classified the over-privileged roles as a ‘low severity’ issue, opting to update documentation rather than restrict the roles’ permissions, leaving organizations exposed to potential misuse.

Conversely, the VPN PSK leak was deemed ‘Important,’ prompting a swift fix by mandating a specific permission (Microsoft.Network/connections/sharedKey/action) for key access, alongside a $7,500 bounty awarded to the researcher.

To safeguard against these threats, organizations must proactively audit and restrict the use of the identified over-privileged roles, replacing them with custom roles tailored to minimal necessary permissions.

Limiting role scopes to specific resources or resource groups, rather than broad subscriptions, further reduces risk.

As cloud security remains a shared responsibility, this incident underscores the need for vigilance blind trust in provider tools can lead to catastrophic breaches.

For robust protection, continuous monitoring and validation of permissions are essential to prevent identity-driven attacks in Azure environments.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!