Several Azure built-in roles were found to include a generic */read permission that grants broader access than their names or descriptions indicate.
Ten service-specific roles unintentionally include */read, allowing users to view all Azure resources instead of only those related to the service.
A vulnerability in the Azure API used GET instead of POST for fetching VPN Gateway pre-shared keys, enabling read-only users to leak the VPN key.
An attacker with any over-privileged or generic read role can retrieve the VPN PSK and connect to on-premises or cloud networks via the Azure VPN Gateway.
Microsoft fixed the VPN key leak by requiring a dedicated sharedKey/action permission and updated role documentation, but did not correct the over-privileged roles themselves.
Get notified when new stories are published for "🇺🇸 Hacker News English"