Microsoft paid Tenable a bug bounty for an Azure flaw it says needs no fix, just better documentation

A vulnerability — or just Azure working as intended, depending on who you ask — in Microsoft’s cloud potentially allows bad guys to bypass firewall rules and access other people’s private web resources.

The issue, discovered by the research team at the Tenable vulnerability assessment group, originates from Service Tags, which are an Azure construct.

These tags can be used to group together the IP addresses used by Azure services, so that in theory it’s easier to control network access to and from those resources. For example, if you want a specific Azure service to interact with your private web application, you can use a service tag to only allow connections of that specific service through a firewall to the application.

Microsoft suggests that when Azure users create these types of security policies, they apply them to Service Labels instead of individual Azure IP addresses.

Tenable believes that these tags could be abused by a rogue Azure customer to access other customers’ stuff—a cross-tenant attack—if those victims rely on Service Tags in their firewall rules. Microsoft, however, will not fix the problem because Redmond does not rate the issue as a vulnerability. Instead, Microsoft believes the issue is a misunderstanding about how someone decides to “use Service Tags and their intended purpose.”

However, after Tenable discovered the problem in January, Microsoft confirmed it was a “creation of privilege flaw,” with a “significant” severity level, and paid Tenable a bug bounty.

A month later, according to Tenable, Microsoft developed a “comprehensive fix” and an implementation timeline, but then decided to only address it with “a comprehensive documentation update.” The Windows giant seems to think that the security vulnerability with Service Tags can best be solved with combined layers of security controls.

“We appreciate working with Tenable to responsibly disclose the risk inherent in using service tags as a single mechanism for verifying secure network traffic,” a Microsoft spokesperson said. registry.

“We encourage customers to take a multi-layered security approach when it comes to validating their security measures to only authenticate trusted network traffic for Service Labels,” the spokesperson added.

“We strongly recommend customers proactively review their use of service tags as described in our blog.”

So instead of a patch, Microsoft has published “enhanced instructions” for Azure Service Tags in its documentation.

From a security perspective, addressing gaps – whether it’s a communication gap or a technology gap – is essential to ensure user safety

“Further investigation into Tenable’s report determined that Service Tags work as designed and best practices should be clearly communicated through service documentation, as we communicated in our subsequent correspondence with Tenable,” the Windows maker argued.

In that blog post, Microsoft notes that “no exploitation or abuse of Service Tags has been reported by a third party or seen in the wild as per our investigation.”

Meanwhile, Tenable published its own technical description of the issue, along with a proof-of-concept scenario that can be used to exploit the issue using Azure Application Services.

In addition to that Microsoft cloud service, the vulnerability affects at least 10 other Azure services, we’re told. These include the platform’s Application Insights, DevOps, Machine Learning, Logic Apps, Container Registry, Load Testing, API Management, Data Factory, Action Group, AI Video Indexer and its Chaos Studio.

This isn’t the first time — or even the second time — that the two security shops have clashed over Redmond’s bug-finding habits or larger infosec practices.

Senior research engineer Liv Matan declined to comment specifically on Microsoft’s decision not to release a patch, or call it a vulnerability, in this case. No matter how you describe it, he said, it needs to be addressed to ensure user safety.

“Many customers are using Azure Service Labels to achieve network isolation,” Matan said registry. “Our new discovery exposed how attackers can breach that isolation and reach internal customer assets. From a security perspective, addressing gaps — whether it’s a communication gap or a technology gap — is critical to ensuring user security .”

For the nitty-gritty details of the security vulnerability, see the Tenable advisory. In summary, it boils down to allowing users to send customizable HTTP requests to web applications via various Azure services, and those applications trust the requests because they come from a service that is covered by a service tag.

Thus, we are led to believe that it is possible for an Azure user to inspect HTTP requests sent by an Azure service to another client, and whether that other client blindly trusts the request – because it comes from a service covered by a service tag – reaches the victim application, allowing the rogue user to (say) control or monitor that application potentially remotely.

“When a service gives users the ability to control requests from the server, and the service connects to Azure Service Tags, things can be at risk if the client doesn’t have additional layers of protection,” Tenable warned.

To prevent this type of abuse, Microsoft recommends adding authentication and authorization checks rather than just relying on firewall rules.

So, for example, customers using Azure Monitor Availability Tests, which allow them to monitor the uptime of their resources, would do the following:

The bottom line, according to both vendors, is to implement multiple layers of security to protect valuable resources and data. ®

Leave a Comment

×