A security flaw was found in Azure Backup for AKS that could let low-level users gain high-level access. This issue was discovered by security researcher Justin O’Leary, who reported it to Microsoft in March. However, Microsoft rejected his report, stating it only allowed access for users who already had admin rights, which O’Leary disagrees with.
O’Leary argues that the vulnerability actually permits anyone with minimal permissions to gain full administrative control. He escalated the issue to the CERT Coordination Center (CERT/CC), which confirmed the flaw. Despite this, Microsoft still blocked a formal identification of the issue, citing that it didn’t meet their criteria for a CVE (Common Vulnerabilities and Exposures).
On the technical side, the flaw involves how Azure Backup interacts with Kubernetes. Specifically, users with just the “Backup Contributor” role could trigger a process that inadvertently granted them higher privileges. This situation allowed potential attackers to exploit systems without needing existing permissions.
Interestingly, after O’Leary’s report, he noticed that the exploit no longer worked, suggesting Microsoft may have made silent changes to fix the issue. However, the lack of a public advisory means that many firms remain unaware of their exposure or the timeline for fixing it.
“Without a CVE, security teams cannot track this exposure,” O’Leary explained. This situation is becoming increasingly common, as tensions grow between researchers striving to improve security and companies reluctant to acknowledge flaws that could harm their reputation.
Reflecting on this case underscores a broader issue in tech. As cybersecurity threats evolve, clear communication and transparency from companies are crucial. Without it, businesses are left vulnerable, potentially compromising their data and reputations.
For more on cybersecurity trends and vulnerabilities, you can check trusted sources like the Cybersecurity and Infrastructure Security Agency (CISA).
