Privilege Escalation in Azure: Keep your enemies close, and your permissions closer

By Omer Shmuelly, Security Researcher, Cloud Security, published June 8, 2022

As more and more organizations are migrating their infrastructure to the cloud, a unified cloud security tool, such as Check Point’s CloudGuard becomes essential. In an ocean of standards and regulations, managing your cloud security posture (CSPM) can be a challenging task. While some misconfigurations are easy to detect, such as an unencrypted storage account or an internet-facing virtual machine, assessing your Azure Identity and Access Management’s security posture may require you to take a deep dive down the rabbit hole.

This article will provide a few examples of cloud security risks due to privilege escalation, and how CloudGuard CSPM includes comprehensive built-in rules and an industry-leading GSL scripting language to create your own rules in order to improve your Azure security posture.

Azure role-based access control

Azure role-based access control (RBAC) is a system that provides fine-grained access management of Azure resources. Using Azure RBAC to enforce permissions, you can segregate duties within your team and grant users the relevant access needed to perform their jobs.

Service principal: A security identity created for each application in a specific tenant, defining the access privileges of a certain security principal.

Managed identities: A managed identity is a service principal of a special type that provides supported resources and applications with a logical identity for AD authentication purposes. A service with a managed identity can use it to connect and authenticate into other AD supported Azure resources, eliminating the maintenance of credentials. There are two types of managed identities:

• System-assigned: A managed identity, which is tied to a single resource life cycle, and to that resource only. A system-assigned identity is only supported for certain resources such as virtual machines, automations, etc.
• User-assigned: A separated stand-alone identity that can be assigned and shared across multiple resources.

What is privilege escalation?

Privilege escalation refers to an unintended way to gain elevated privileges – in this case, for an Azure account or resource.

The principle of least privilege: According to Saltzer and Schroeder in “Basic Principles of Information Protection”: “Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error.”

In this article, we examine privilege escalation from a cloud perspective, under the assumption that an attacker may have a foothold within the user’s infrastructure. While the risks can vary from impacted availability to exfiltration and manipulation of confidential data, we describe the best practices you should follow to keep your environment as safe as possible.

Although planning and managing your Azure IAM service is not a first line of defense like a cloud network security gateway, it is still a very important step you need to take.

For example, if an attacker managed to gain access to one of your virtual machines that is assigned with a managed identity, they can simply log in to the Azure account by using the virtual machine identity with the following command:

The scale of the impact is determined by the privileges that were given to the virtual machine’s identity. While keeping the identity permissions minimal (according to the Principle of Least Privilege) limits the attacker to certain resources, other permissions may allow the attacker to gain a deeper hold, thus increasing the impact.

Examples of known permissions and their potential risks:

Example 1: Privilege escalation via role assignment

Role assignment: Microsoft defines this as the process of attaching a role definition to a user, group, service principal, or managed identity at a particular level for the purpose of granting access.

A principal with this permission

Can assign a selected role to one or more managed identities, with the possibility of elevating its privileges up to an Owner role within a given resource group.

For example, this command assigns a managed identity with the Owner role:

Relevant CloudGuard CSPM rule:

• AZU.IAM.35 – Ensure to audit role assignments that have implicit role management permissions

Example 2: Privilege escalation via role definition

Role definition: Microsoft defines this as a collection of permissions that lists the actions that can be performed, such as read, write, and delete. It is typically just called for a single role.

A principal with this permission:

Can create new role definitions or redefine existing ones. This can be leveraged by the principal to gain privileges which the account owner never intended to give to a certain principal in the first place.

For example, this command allows a principal to elevate its role definition permissions to perform any action:

You can use the CloudGuard CSPM GSL query to search for Azure role definitions with these specific permissions:

Example 3: Assign existing identity

For example, a resource group Base-RG, which contains a managed identity Linked-Identity with management permissions is assigned to another resource group Target-RG.

A principal within Base-RG with these permissions:

Can assign the “Linked-Identity” managed identity to itself or to other supported resources, and gain access to another resource group scope. For example:

Relevant CloudGuard CSPM rule:

• AZU.IAM.36 – Ensure to audit role assignments that have implicit managed identity permissions

All the examples shown above demonstrate legitimate permissions but can quickly lead to an unforeseen escalation. Therefore, you should take into consideration the principle of least privilege before assigning them to a role.

The principle of least privilege – Guidelines

• Permissions: Always give the minimum permissions which are needed for proper functioning. Even the smallest and harmless permission, such as a standalone read permission to a certain resource, may provide an attacker with the ability to extend his reach to further resources.
• Scope: Make sure to consider the scope of resources to which you expose a particular principal. Even if a principal should have high privileges to a resource like Key Vault, its privilege scope should be limited to the relevant Key Vault only. Limit permissions to act on the smallest scope possible.
• Purpose: Examine the logic and mechanism you want to achieve. Is this the best way to implement it? Should your application manage your database and secrets at the same time?
• Worst case scenario: Always ask yourself what the worst-case scenario is. Risks should be assessed in advance and not after the fact.
• Audit: Infrastructure always changes, and the service design can be dynamic. Make sure to audit inconsistent interval cloud privileges to maintain a strong security posture.

Relevant CloudGuard CSPM rules:

• AZU.IAM.34 – Ensure custom role definition doesn’t have excessive permissions (Wildcard)
• AZU.IAM.37 – Ensure to audit role assignments that have implicit ‘Owner’ permissions

Conclusion

Depending on the set of permissions, privilege escalation can be a simple and, sometimes, unfortunate result. All of the permissions started out as legitimate, but under certain circumstances, escalation turns them into something they were never intended for.

In a world where cloud infrastructure becomes more intricate and complex each day, special attention must be made to permissions and role definitions, with assignments given carefully. That is where Check Point  CloudGuard comes in.

Consistent auditing is a key factor to maintain a good security posture. CloudGuard CSPM makes your audit process efficient and easy with a variety of prevention capabilities.

Next Steps

• For a personalized demo of CloudGuard, click here.
• CloudGuard CSPM is available for 30-day free trial or deployment on Azure Marketplace and can be consumed via PAYG.
• If you’d like to learn more about CloudGuard CSPM, please speak with your Check Point channel partner, your account Security Engineer or contact us.

Additional content for learning and reading

If you are migrating to the cloud and evaluating cloud CSPM solutions, download the Buyer’s Guide to CSPM to understand:

• The top 10 considerations when evaluating and choosing a CSPM solution
• An overview of Check Point CloudGuard and how it answers the top 10 considerations
• The relative benefits of the solutions provided by leading cloud providers and third-party security vendors

Do you want to read more about cloud security?

Download the Check Point cloud security blueprint documents:

• Introduction to Cloud Security Blueprint introduces the cloud security blueprint and describes key architectural principles and cloud security concepts.
• Cloud Security Blueprint: Architecture and Solutions explains the blueprint architecture, describes how Check Point’s cloud security solutions enable you implement the blueprint, and how these address the cloud security challenges and architectural principles that were outlined in the first document.
• This document provides reference architectures for implementing the cloud security blueprint.

Follow and join the conversations about Check Point and CloudGuard on Twitter, Facebook, LinkedIn and Instagram.