Patch/Configuration Management

Researcher claims Microsoft silently patched Azure Backup for AKS vulnerability

According to Bleeping Computer, a security researcher alleges that Microsoft discreetly resolved a critical vulnerability in Azure Backup for AKS, a flaw that could have allowed cluster-admin access from a low-privileged role. The researcher claims Microsoft initially rejected the report and blocked the issuance of a CVE identifier.

The vulnerability reportedly discovered by Justin O'Leary allowed users with only the "Backup Contributor" role to gain cluster-admin privileges within Kubernetes clusters. This was reportedly achieved by exploiting the Trusted Access feature in Azure Backup for AKS, which normally grants cluster-admin rights to backup extensions. O'Leary states that an attacker could enable backup on a target AKS cluster, triggering Azure to automatically configure Trusted Access, thereby enabling them to extract secrets or deploy malicious workloads.

Microsoft, however, disputes these claims, asserting that the behavior was expected and no product changes were made. Despite Microsoft's stance, the researcher says he documented new permission checks and observed that the original exploit path no longer functions. The CERT Coordination Center independently validated the vulnerability, but Microsoft allegedly blocked the CVE assignment, citing the need for pre-existing administrative access. 

Source: Bleeping Computer

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds