Privilege escalation flaw found in Azure Machine Learning service

A critical privilege escalation vulnerability affecting Azure Machine Learning (AML) has been discovered by cybersecurity researchers.

The flaw allows attackers with only Storage Account access to execute arbitrary code within AML pipelines, potentially leading to full subscription compromise under default configurations.

The issue, identified by cloud security firm Orca, arises from the way AML stores and executes invoker scripts (Python files that orchestrate ML components) inside an automatically created Storage Account. These scripts, when modified, run with the permissions of the AML compute instance, which often carries broad or highly privileged identities.

Read more at InfoSecurity Magazine