NetSPI Finds Privilege Escalation Vulnerability in Azure Function Apps

Cloud penetration testing leader identifies privilege escalation flaw in Azure’s popular solution for building cloud-native applications.

Minneapolis, MN – NetSPI, the leader in offensive security, today published details on a vulnerability found by Vice President of Research Karl Fosaaen, who discovered a flawed functionality in Azure Function Apps that allowed for privilege escalation. 

Fosaaen and the NetSPI research team worked closely with Microsoft to resolve the issue. If left unresolved, users with ‘read only’ permissions on a Function App could gain full access to the Azure Function App container, granting them the ability to view and alter highly sensitive information, like backend code databases and password vaults. 

Function Apps is used for building cloud-native applications in Azure. At its core, Function Apps is a lightweight API service that can be used for building and hosting serverless applications. The Azure Portal allows users to view files associated with the Function App, along with the code for the application endpoints. 

“We see the Function Apps service used in about 80 percent of our penetration testing environments. With this being a privilege escalation issue, a minimally authorized user could have been given access to critical, often restricted roles that would allow them to pivot within an Azure subscription,” said Fosaaen. “Given the simplicity of the issue, it’s surprising that this vulnerability has made it this far without previously being detected, especially with the rise in APIs and cloud-native apps over the past few years.”

Fosaaen worked closely with the Microsoft Security Response Center (MSRC) to disclose and remediate the file access issues. The Reader role no longer has the ability to read files with the Function App VFS APIs. A technical overview of the vulnerability can be found on the NetSPI blog.  

The NetSPI Labs innovation and research group plans to continue exploring read-only privilege escalation opportunities across Azure. You can see the team’s cloud security research and past vulnerability disclosures at www.netspi.com.

About NetSPI  

NetSPI is the leader in enterprise penetration testing, attack surface management, and breach and attack simulation – the most comprehensive suite of offensive security solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and the top 50 companies in the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India.

Media Contacts: 
Tori Norris, NetSPI 
victoria.norris@netspi.com
(630) 258-0277  

Jessica Bettencourt, Inkhouse for NetSPI
netspi@inkhouse.com
(774) 451-5142