There isn't any official way to keep track of these tokens within Azure, nor to monitor their issuance, which makes it difficult to know how many tokens have been issued and are in active use. Management and monitoringĪccount SAS tokens are extremely hard to manage and revoke. This was the case with Microsoft’s token, which was valid until 2051. SAS tokens have an expiry problem - our scans and monitoring show organizations often use tokens with a very long (sometimes infinite) lifetime, as there is no upper limit on a token's expiry. The risk can be examined from several angles: permissions, hygiene, management and monitoring.Ī SAS token can grant a very high access level to a storage account, whether through excessive permissions (like read, list, write or delete), or through wide access scopes that allow users to access adjacent storage containers. SAS tokens pose a security risk, as they allow sharing information with external unidentified identities. Since the issuance of the token is not documented anywhere, there is no way to know that it was issued and act against it. A recent Microsoft report indicates that attackers are taking advantage of the service’s lack of monitoring capabilities in order to issue privileged SAS tokens as a backdoor. These unique pitfalls make this service an easy target for attackers looking for exposed data.īesides the risk of accidental exposure, the service’s pitfalls make it an effective tool for attackers seeking to maintain persistency on compromised storage accounts. Revoking a token is no easy task either - it requires rotating the account key that signed the token, rendering all other tokens signed by same key ineffective as well. The Microsoft developers used an Azure mechanism called “SAS tokens”, which allows you to create a shareable link granting access to an Azure Storage account’s data - while upon inspection, the storage account would still seem completely private.Ĭreating a high privilege non-expiring SAS tokenīecause of this, when a user creates a highly-permissive non-expiring token, there is no way for an administrator to know this token exists and where it circulates. However, it’s important to note this storage account wasn’t directly exposed to the public in fact, it was a private storage account. Meaning, an attacker could have injected malicious code into all the AI models in this storage account, and every user who trusts Microsoft’s GitHub repository would’ve been infected by it. It’s formatted using Python’s pickle formatter, which is prone to arbitrary code execution by design. The file’s format is ckpt, a format produced by the TensorFlow library. The repository instructs users to download a model data file from the SAS link and feed it into a script. This is particularly interesting considering the repository’s original purpose: providing AI models for use in training code. Meaning, not only could an attacker view all the files in the storage account, but they could delete and overwrite existing files as well. In addition to the overly permissive access scope, the token was also misconfigured to allow “full control” permissions instead of read-only. Redacted Teams conversation between two Microsoft employees Readers of the repository were instructed to download the models from an Azure Storage URL: The repository belongs to Microsoft’s AI research division, and its purpose is to provide open-source code and AI models for image recognition. In this process, we found a GitHub repository under the Microsoft organization named robust-models-transfer. As data scientists and engineers race to bring new AI solutions to production, the massive amounts of data they handle require additional security checks and safeguards.Īs part of the Wiz Research Team’s ongoing work on accidental exposure of cloud-hosted data, the team scanned the internet for misconfigured storage containers. This case is an example of the new risks organizations face when starting to leverage the power of AI more broadly, as more of their engineers now work with massive amounts of training data. The access level can be limited to specific files only however, in this case, the link was configured to share the entire storage account - including another 38TB of private files. The researchers shared their files using an Azure feature called SAS tokens, which allows you to share data from Azure Storage accounts. The backup includes secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages. Microsoft’s AI research team, while publishing a bucket of open-source training data on GitHub, accidentally exposed 38 terabytes of additional private data - including a disk backup of two employees’ workstations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |