A security vulnerability in Azure Service Tag, identified by Tenable’s research team, has potential implications for the privacy of Azure user data.
Tenable has urged Microsoft to address the discovered issues, stating the vulnerability affects multiple Azure services. They advocate for additional protective measures to ensure customer data is safe.
The Exploitation Method
Azure Service Tags are collections of IP addresses meant to simplify the management of firewall rules and ACLs, ensuring the isolation and protection of resources on Microsoft’s cloud platform. They function by restricting unwanted traffic while permitting communications from trusted Azure services.
Liv Matan from Tenable details how malicious actors could exploit a vulnerability in Azure Service Tags to initiate web requests resembling Server-Side Request Forgery (SSRF). By imitating authenticated Azure services, these attacks can penetrate firewalls set up with Azure Service Tags. Ordinarily, these firewall rules aim to safeguard services and confidential data without requiring additional authentication.
The vulnerability is linked to the “availability test” feature in the “classic test” or “standard test” configurations, which can be leveraged to access internal services and APIs operating on ports 80 and 443. The Application Insights Availability service’s testing feature is particularly vulnerable, enabling the manipulation of headers, methods, and HTTP requests.
Broader Impact
Tenable’s findings suggest that more than just Azure Application Insights are impacted. At least ten other Azure services are susceptible, including Azure DevOps, Azure Machine Learning, Azure Logic Apps, Azure Container Registry, Azure Load Testing, Azure API Management, Azure Data Factory, Azure Action Group, Azure AI Video Indexer, and Azure Chaos Studio.
To counteract the threat, Matan recommends that Azure customers introduce additional layers of authentication and authorization beyond the standard network controls associated with Azure Service Tags.
Microsoft’s Position on the Issue
Microsoft has responded by stating that Service Tags are designed as a routing solution rather than a security perimeter and should be used with validation mechanisms. According to Microsoft, Service Tags are not intended to negate the need for input validation that prevents web request vulnerabilities.
Microsoft has also noted that neither internal nor third-party investigations have found any evidence of the exploit being used maliciously. They emphasize the necessity of implementing further authorization and authentication checks to bolster network security and protect Azure services from unauthorized access.
The incident is not isolated for Microsoft’s Azure. Previous vulnerabilities such as the ‘AutoWarp’ bug have exposed other risks, allowing unauthorized access to user accounts. Moreover, in 2021, Azure faced a major DDoS attack against its Asian users, which was described as one of the largest on record and was successfully mitigated by the company. These occurrences illustrate ongoing security challenges for Azure, which nevertheless remains a leading cloud service provider for businesses of various sizes worldwide.
Last Updated on November 7, 2024 7:53 pm CET
