Microsoft Azure Logic Apps Elevation of Privilege Vulnerability

A vulnerability allowing elevation of privilege has been identified in Azure Logic Apps. This issue arises from insufficiently protected credentials, which could enable an authorized attacker to gain administrative privileges over a network. Exploitation could involve creating a forged authentication token to access administrative function APIs, potentially allowing the retrieval of keys, access to the file system, and deployment of unauthorized code within the Logic Apps environment.

Impact

Exploitation of this vulnerability could lead to unauthorized administrative access in Azure Logic Apps, allowing attackers to manipulate app functionalities and resources.

Remediation

Customers are protected through automatic service-side updates. However, for existing Logic Apps created with WEBSITE_AUTH_ENCRYPTION_KEY as an environment variable, a small update is required to fully mitigate the issue. New or updated Logic Apps are automatically mitigated without any customer action.