Permission Impossible: Hidden Dangers of Azure RBAC and API Vulnerabilities
Ariel Simon
fwd:cloudsec Europe 2025 · Day 1 · Main Room
Ariel Simon, a security researcher at Token Security, presented a two-part discovery in Azure's permission model that chains overprivileged built-in roles with an API vulnerability to achieve a novel attack: escalating from a weak cloud user with read-only permissions to full on-premises network compromise. The first finding reveals that **10 Azure built-in roles** — including seemingly innocuous roles like "Log Analytics Reader" and "Managed Applications Reader" — secretly grant `*/read` permissions across all Azure control plane resources, far exceeding their documented scope. The second finding is an API vulnerability where a VPN gateway endpoint that returns a **pre-shared key** (PSK) was implemented using an HTTP GET method instead of POST, bypassing Azure's permission enforcement for secret access. Combined, these allow any user assigned one of the overprivileged roles to steal VPN credentials and establish a site-to-site VPN connection into internal networks. Microsoft confirmed the API vulnerability as important severity and patched it.
AI review
Simon delivers a clean, well-researched attack chain that turns Azure's own RBAC model against itself — escalating from a 'read-only' service-specific role to on-premises network compromise via a VPN pre-shared key leak. The root cause analysis of HTTP-method-based permission enforcement is the real gem, revealing a systemic design pattern that could harbor additional vulnerabilities. The confirmed important-severity MSRC classification and bounty validate the finding.