Operational Defect Database
BugZero found this defect 374 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Veeam | kb4449
Azure Storage Account Key Security Advisory
Last update date:
5/31/2023
Affected products:
Veeam Backup & Replication
Veeam Backup for Microsoft 365
Veeam Agent for Microsoft Windows
Veeam Agent for Linux
Veeam Backup for Microsoft Azure
Veeam Agent for Mac
Affected releases:
2.0
Fixed releases:
No fixed releases provided.
Description:
Purpose
This article highlights a flaw in the design of Microsoft Azure roles that could lead to breaches between control and data planes. If a control plane user's account is compromised, it can be used to access and alter files stored in the storage accounts accessible to them.
Cause
The ListKeys permission allows "control plane" users, who are not supposed to be able to modify data, to list access keys. These access keys can then be used to read and write data to the storage accounts. An example of a role with the ListKeys permissions is Storage Account Contributor. Example Diagram:
Solution
We strongly encourage customers to review: Best practices regarding Azure Storage Keys, Azure Functions, and Azure Role Based Access Recommended Actions for Customers Veeam's Additional Recommendations: Limit the number of users that have access to your storage accounts. Storage accounts used to store sensitive data should be placed in separate resource groups.
More Information
Microsoft Documentation — Best practices regarding Azure Storage Keys, Azure Functions, and Azure Role Based Access Microsoft Documentation — Recommended Actions for Customers Orca Security — From listKeys to Glory: How We Achieved a Subscription Privilege Escalation and RCE by Abusing Azure Storage Account Keys
