Safety researchers at Tenable found what they describe as a high-severity vulnerability in Azure Service Tags that might enable attackers to entry prospects’ non-public information.
Service Tags are teams of IP addresses for a particular Azure service used for firewall filtering and IP-based Entry Management Lists (ACLs) when community isolation is required to safeguard Azure assets. That is achieved by blocking incoming or outgoing Web site visitors and solely permitting Azure service site visitors.
Tenable’s Liv Matan defined that menace actors can use the vulnerability to craft malicious SSRF-like internet requests to impersonate trusted Azure companies and bypass firewall guidelines primarily based on Azure Service Tags, typically used to safe Azure companies and delicate information with out authentication checks.
“It is a excessive severity vulnerability that might enable an attacker to entry Azure prospects’ non-public information,” Matan mentioned.
Attackers can exploit the “availability take a look at” function within the “traditional take a look at” or “commonplace take a look at” performance, permitting them to entry inner companies and doubtlessly expose inner APIs hosted on ports 80/443.
This may be achieved by abusing the Utility Insights Availability service’s availability exams function, which grants attackers the flexibility so as to add customized headers, modify strategies, and customise their HTTP requests as wanted.
Matan has shared extra technical info in his report on abusing customized headers and Azure Service Tags to entry inner APIs that aren’t usually uncovered.
“Since Microsoft doesn’t plan to problem a patch for this vulnerability, all Azure prospects are in danger. We extremely suggest prospects instantly evaluation the centralized documentation issued by MSRC and comply with the rules completely.”
Whereas found within the Azure Utility Insights service, Tenable researchers discovered that it impacts a minimum of ten others. The entire record consists of:
- Azure DevOps
- Azure Machine Studying
- Azure Logic Apps
- Azure Container Registry
- Azure Load Testing
- Azure API Administration
- Azure Data Manufacturing facility
- Azure Motion Group
- Azure AI Video Indexer
- Azure Chaos Studio
To defend towards assaults profiting from this problem, Tenable advises Azure prospects so as to add further authentication and authorization layers on high of community controls primarily based on Service Tags to guard their property from publicity.
The corporate provides that Azure customers ought to assume that property in affected companies are publicly uncovered if they aren’t adequately secured.
“When configuring Azure companies’ community guidelines, keep in mind that Service Tags are usually not a watertight solution to safe site visitors to your non-public service,” Matan added.
“By making certain that robust community authentication is maintained, customers can defend themselves with a further and essential layer of security.”
Microsoft disagrees
Nevertheless, Microsoft disagrees with Tenable’s evaluation that that is an Azure vulnerability, saying that Azure Service Tags weren’t meant as a security boundary, despite the fact that that was not clear of their unique documentation.
“Service tags are to not be handled as a security boundary and will solely be used as a routing mechanism along side validation controls,” Microsoft mentioned.
“Service tags are usually not a complete solution to safe site visitors to a buyer’s origin and don’t substitute enter validation to forestall vulnerabilities that could be related to internet requests.”
The corporate says further authorization and authentication checks are required for a layered community security method to guard prospects’ Azure service endpoints from unauthorized entry makes an attempt.
Redmond added that its security crew or third events are but to seek out proof of exploitation or abuse of service tags in assaults.
