Full Report
A critical Azure Machine Learning flaw allows privilege escalation, risking subscription compromise
Analysis Summary
As a vulnerability research specialist, here is the summary of the disclosed security flaw:
# Vulnerability: Privilege Escalation in Azure Machine Learning (AML) Service via Invoker Script Modification
## CVE Details
* **CVE ID:** Information not explicitly provided in the summary material.
* **CVSS Score:** Information not explicitly provided in the summary material, but described as "critical."
* **CWE:** Information not explicitly provided in the summary material.
## Affected Systems
* **Products:** Azure Machine Learning (AML) Service.
* **Versions:** Not specified, but applies where AML compute instances are configured with broad/privileged managed identities.
* **Configurations:** Vulnerable when AML stores invoker scripts (Python orchestration files) in an associated Storage Account and the compute instance's managed identity inherits creator-level permissions (common with default SSO configurations).
## Vulnerability Description
The vulnerability stems from how the Azure Machine Learning Service handles and executes *invoker scripts* within customer-managed Storage Accounts automatically created by AML. An attacker who possesses **Storage Account write permissions** can replace these legitimate invoker scripts with malicious code. Since these scripts execute with the high-level permissions associated with the AML compute instance's managed identity (which often defaults to the creator’s privileges, potentially including **Owner** on the subscription), the attacker can achieve significant privilege escalation.
## Exploitation
* **Status:** Proof of Concept (PoC) available (demonstrated by Orca).
* **Complexity:** Low (requires only Storage Account write access).
* **Attack Vector:** Adjacent/Network (upon successful execution within the AML pipeline context).
### Impact
* **Confidentiality:** High (ability to extract secrets from Azure Key Vault).
* **Integrity:** High (ability to execute arbitrary code).
* **Availability:** High (potential for full subscription compromise).
## Remediation
### Patches
* Microsoft has acknowledged the finding, but specific patch versions or release dates are not detailed in this summary article.
### Workarounds
The primary mitigation strategies revolve around restricting access rights:
1. **Principle of Least Privilege:** Ensure that users/identities accessing the AML Storage Account for script modification only have the **minimum necessary permissions** required for their operational role, strictly avoiding broad write access if not essential.
2. **Managed Identity Review:** Carefully review and restrict the permissions assigned to the Managed Identities of AML compute instances, especially ensuring they do not default to subscription-level 'Owner' roles.
## Detection
* **Indicators of Compromise (IoCs):** Look for unexpected modifications or execution traces related to Python invoker scripts within the AML-associated Storage Account. Elevated access attempts or calls originating from AML compute instance identities targeting Azure Key Vault or subscription management APIs.
* **Detection Methods and Tools:** Utilize Azure monitoring (Azure Monitor, Azure Security Center/Defender for Cloud) to track unusual execution context within AML pipelines and unauthorized access patterns against Storage Account blobs.
## References
* Vendor Advisory (Mentioned implicitly via reporting by Orca and acknowledgement by Microsoft).
* *Security Firm Reporting:* Orca Security.
* Relevant link (Defanged): `hXXps://www.infosecurity-magazine.com/news/privilege-escalation-flaw-azure-ml/`