Azure Key Vault Vulnerability: Exploiting Role Misconfigurations for Privilege Escalation

Datadog Security Labs has uncovered a potential privilege escalation method in Azure Key Vault that could grant unintended access to sensitive secrets, keys, and certificates. This discovery sheds light on how attackers could exploit role misconfigurations to bypass access restrictions, challenging the trust in Azure’s built-in roles.

The investigation revealed that the Key Vault Contributor role, which is not intended to provide access to Key Vault data, could be exploited to gain full access. As per Microsoft’s documentation, the role is described as being capable of managing key vaults but explicitly not allowing data access. However, Datadog researchers identified that this role includes the Microsoft.KeyVault/vaults/write permission, enabling the modification of access policies. This effectively allows users to elevate their privileges and access sensitive data.

“Inclusion of the Microsoft.KeyVault/vaults/write permission in an Azure built-in role violated the defined boundary of what data the role could access,” stated the report. This design gap enables users to bypass restrictions and directly read Key Vault secrets.

Datadog presented a real-world scenario where an attacker compromises a user’s account via phishing and leverages the Key Vault Contributor role to modify access policies. By granting themselves full access permissions, the attacker can retrieve secrets like API keys, passwords, and authentication certificates. This critical flaw arises when Key Vaults are configured with access policies instead of the Azure RBAC model.

“An attacker with the Key Vault Contributor role could modify access policies and grant themselves access to all of a Key Vault’s data. Any Key Vault secrets would then be exposed to this attacker,” the report highlights.

Following the disclosure to Microsoft’s Security Response Center (MSRC), the behavior was classified as “by design.” Microsoft updated its documentation to clarify that the Key Vault Contributor role allows modification of access policies, emphasizing the need for careful role assignment and monitoring.

Related Posts:

• Veritas Enterprise Vault Vulnerability Could Allow Remote Code Execution
• AWS Under Siege: Attackers Target Vaults, Buckets, and Secrets in Widespread Campaign
• HashiCorp Vault Flaw (CVE-2024-759): Unrestricted SSH Access Threatens System Security