Operational Defect Database

BugZero found this defect 340 days ago.

Veeam | kb4449

Azure Storage Account Key Security Advisory

Last update date:

5/31/2023

Affected products:

Veeam Backup & Replication

Veeam Backup for Microsoft 365

Veeam Agent for Microsoft Windows

Veeam Agent for Linux

Veeam Backup for Microsoft Azure

Veeam Agent for Mac

Affected releases:

12

Fixed releases:

No fixed releases provided.

Description:

Purpose

This article highlights a flaw in the design of Microsoft Azure roles that could lead to breaches between control and data planes. If a control plane user's account is compromised, it can be used to access and alter files stored in the storage accounts accessible to them.

Cause

The ListKeys permission allows "control plane" users, who are not supposed to be able to modify data, to list access keys. These access keys can then be used to read and write data to the storage accounts. An example of a role with the ListKeys permissions is Storage Account Contributor. Example Diagram:

Solution

We strongly encourage customers to review: Best practices regarding Azure Storage Keys, Azure Functions, and Azure Role Based Access Recommended Actions for Customers   Veeam's Additional Recommendations: Limit the number of users that have access to your storage accounts. Storage accounts used to store sensitive data should be placed in separate resource groups.

More Information

Microsoft Documentation — Best practices regarding Azure Storage Keys, Azure Functions, and Azure Role Based Access Microsoft Documentation — Recommended Actions for Customers Orca Security — From listKeys to Glory: How We Achieved a Subscription Privilege Escalation and RCE by Abusing Azure Storage Account Keys

Additional Resources / Links

Share:

BugZero® Risk Score

What's this?

Coming soon

Status

Solved

cost-cta-background

Do you know how much operational outages are costing you?

Understand the cost to your business and how BugZero can help you reduce those costs.

Have you ever...

had your data corrupted from a

VMware

bug?

Search:

...