Microsoft is warning concerning the potential abuse of Azure Service Tags by malicious actors to forge requests from a trusted service and get round firewall guidelines, thereby permitting them to achieve unauthorized entry to cloud sources.
“This case does highlight an inherent risk in using service tags as a single mechanism for vetting incoming network traffic,” the Microsoft Safety Response Heart (MSRC) mentioned in a steering issued final week.
“Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls. Service tags are not a comprehensive way to secure traffic to a customer’s origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests.”
The assertion is available in response to findings from cybersecurity agency Tenable, which discovered that Azure prospects whose firewall guidelines depend on Azure Service Tags could possibly be bypassed. There isn’t any proof that the characteristic has been exploited within the wild.
The issue, at its core, stems from the truth that among the Azure providers enable inbound visitors through a service tag, doubtlessly permitting an attacker in a single tenant to ship specifically crafted net requests to entry sources in one other, assuming it has been configured to permit visitors from the service tag and doesn’t carry out any authentication of its personal.
At 10 Azure providers have been discovered weak: Azure Utility Insights, Azure DevOps, Azure Machine Studying, Azure Logic Apps, Azure Container Registry, Azure Load Testing, Azure API Administration, Azure Information Manufacturing facility, Azure Motion Group, Azure AI Video Indexer, and Azure Chaos Studio.
“This vulnerability enables an attacker to control server-side requests, thus impersonating trusted Azure services,” Tenable researcher Liv Matan mentioned. “This enables the attacker to bypass network controls based on Service Tags, which are often used to prevent public access to Azure customers’ internal assets, data, and services.”
In response to the disclosure in late January 2024, Microsoft has up to date the documentation to explicitly observe that “Service Tags alone aren’t sufficient to secure traffic without considering the nature of the service and the traffic it sends.”
It is also really useful that prospects assessment their use of service tags and guarantee they’ve adopted satisfactory safety guardrails to authenticate solely trusted community visitors for service tags.
