According to Bleeping Computer, a security researcher alleges that Microsoft discreetly resolved a critical vulnerability in Azure Backup for AKS, a flaw that could have allowed cluster-admin access from a low-privileged role. The researcher claims Microsoft initially rejected the report and blocked the issuance of a CVE identifier.The vulnerability reportedly discovered by Justin O'Leary allowed users with only the "Backup Contributor" role to gain cluster-admin privileges within Kubernetes clusters. This was reportedly achieved by exploiting the Trusted Access feature in Azure Backup for AKS, which normally grants cluster-admin rights to backup extensions. O'Leary states that an attacker could enable backup on a target AKS cluster, triggering Azure to automatically configure Trusted Access, thereby enabling them to extract secrets or deploy malicious workloads.Microsoft, however, disputes these claims, asserting that the behavior was expected and no product changes were made. Despite Microsoft's stance, the researcher says he documented new permission checks and observed that the original exploit path no longer functions. The CERT Coordination Center independently validated the vulnerability, but Microsoft allegedly blocked the CVE assignment, citing the need for pre-existing administrative access. Source: Bleeping Computer
Patch/Configuration Management
Researcher claims Microsoft silently patched Azure Backup for AKS vulnerability

Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



