Site icon Check Point Blog

Privilege Escalation in Azure: Keep your enemies close, and your permissions closer

By Omer Shmuelly, Security Researcher, Cloud Security, published June 8, 2022

As more and more organizations are migrating their infrastructure to the cloud, a unified cloud security tool, such as Check Point’s CloudGuard becomes essential. In an ocean of standards and regulations, managing your cloud security posture (CSPM) can be a challenging task. While some misconfigurations are easy to detect, such as an unencrypted storage account or an internet-facing virtual machine, assessing your Azure Identity and Access Management’s security posture may require you to take a deep dive down the rabbit hole.

This article will provide a few examples of cloud security risks due to privilege escalation, and how CloudGuard CSPM includes comprehensive built-in rules and an industry-leading GSL scripting language to create your own rules in order to improve your Azure security posture.

Azure role-based access control

Azure role-based access control (RBAC) is a system that provides fine-grained access management of Azure resources. Using Azure RBAC to enforce permissions, you can segregate duties within your team and grant users the relevant access needed to perform their jobs.

Service principal: A security identity created for each application in a specific tenant, defining the access privileges of a certain security principal.

Managed identities: A managed identity is a service principal of a special type that provides supported resources and applications with a logical identity for AD authentication purposes. A service with a managed identity can use it to connect and authenticate into other AD supported Azure resources, eliminating the maintenance of credentials. There are two types of managed identities:

What is privilege escalation?

Privilege escalation refers to an unintended way to gain elevated privileges – in this case, for an Azure account or resource.

The principle of least privilege: According to Saltzer and Schroeder in “Basic Principles of Information Protection”: “Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error.”

In this article, we examine privilege escalation from a cloud perspective, under the assumption that an attacker may have a foothold within the user’s infrastructure. While the risks can vary from impacted availability to exfiltration and manipulation of confidential data, we describe the best practices you should follow to keep your environment as safe as possible.

Although planning and managing your Azure IAM service is not a first line of defense like a cloud network security gateway, it is still a very important step you need to take.

For example, if an attacker managed to gain access to one of your virtual machines that is assigned with a managed identity, they can simply log in to the Azure account by using the virtual machine identity with the following command:

The scale of the impact is determined by the privileges that were given to the virtual machine’s identity. While keeping the identity permissions minimal (according to the Principle of Least Privilege) limits the attacker to certain resources, other permissions may allow the attacker to gain a deeper hold, thus increasing the impact.

Examples of known permissions and their potential risks:

Example 1: Privilege escalation via role assignment

Role assignment: Microsoft defines this as the process of attaching a role definition to a user, group, service principal, or managed identity at a particular level for the purpose of granting access.

A principal with this permission

Can assign a selected role to one or more managed identities, with the possibility of elevating its privileges up to an Owner role within a given resource group.

For example, this command assigns a managed identity with the Owner role:

Relevant CloudGuard CSPM rule:

Example 2: Privilege escalation via role definition

Role definition: Microsoft defines this as a collection of permissions that lists the actions that can be performed, such as read, write, and delete. It is typically just called for a single role.

A principal with this permission:

Can create new role definitions or redefine existing ones. This can be leveraged by the principal to gain privileges which the account owner never intended to give to a certain principal in the first place.

For example, this command allows a principal to elevate its role definition permissions to perform any action:

You can use the CloudGuard CSPM GSL query to search for Azure role definitions with these specific permissions:

Example 3: Assign existing identity

For example, a resource group Base-RG, which contains a managed identity Linked-Identity with management permissions is assigned to another resource group Target-RG.

A principal within Base-RG with these permissions:

Can assign the “Linked-Identity” managed identity to itself or to other supported resources, and gain access to another resource group scope. For example:

Relevant CloudGuard CSPM rule:

All the examples shown above demonstrate legitimate permissions but can quickly lead to an unforeseen escalation. Therefore, you should take into consideration the principle of least privilege before assigning them to a role.

The principle of least privilege – Guidelines

Relevant CloudGuard CSPM rules:

Conclusion

Depending on the set of permissions, privilege escalation can be a simple and, sometimes, unfortunate result. All of the permissions started out as legitimate, but under certain circumstances, escalation turns them into something they were never intended for.

In a world where cloud infrastructure becomes more intricate and complex each day, special attention must be made to permissions and role definitions, with assignments given carefully. That is where Check Point  CloudGuard comes in.

Consistent auditing is a key factor to maintain a good security posture. CloudGuard CSPM makes your audit process efficient and easy with a variety of prevention capabilities.

Next Steps

Additional content for learning and reading

If you are migrating to the cloud and evaluating cloud CSPM solutions, download the Buyer’s Guide to CSPM to understand:

Do you want to read more about cloud security?

Download the Check Point cloud security blueprint documents:

Follow and join the conversations about Check Point and CloudGuard on TwitterFacebookLinkedIn and Instagram.

Exit mobile version