Safety researchers at Tenable found what they describe as a high-severity vulnerability in Azure Service Tag that might permit attackers to entry prospects’ non-public knowledge.
Service Tags are teams of IP addresses for a particular Azure service used for firewall filtering and IP-based Entry Management Lists (ACLs) when community isolation is required to safeguard Azure sources. That is achieved by blocking incoming or outgoing Web visitors and solely permitting Azure service visitors.
Tenable’s Liv Matan defined that menace actors can use the vulnerability to craft malicious SSRF-like internet requests to impersonate trusted Azure companies and bypass firewall guidelines primarily based on Azure Service Tags, typically used to safe Azure companies and delicate knowledge with out authentication checks.
“This is a high severity vulnerability that could allow an attacker to access Azure customers’ private data,” Matan mentioned.
Attackers can exploit the “availability test” characteristic within the “classic test” or “standard test” performance, permitting them to entry inside companies and probably expose inside APIs hosted on ports 80/443.
This may be achieved by abusing the Software Insights Availability service’s availability assessments characteristic, which grants attackers the flexibility so as to add customized headers, modify strategies, and customise their HTTP requests as wanted.
Matan has shared extra technical data in his report on abusing customized headers and Azure Service Tags to entry inside APIs that aren’t usually uncovered.
“Since Microsoft does not plan to issue a patch for this vulnerability, all Azure customers are at risk. We highly recommend customers immediately review the centralized documentation issued by MSRC and follow the guidelines thoroughly.”
Whereas found within the Azure Software Insights service, Tenable researchers discovered that it impacts at the least ten others. The whole listing consists of:
- Azure DevOps
- Azure Machine Studying
- Azure Logic Apps
- Azure Container Registry
- Azure Load Testing
- Azure API Administration
- Azure Information Manufacturing unit
- Azure Motion Group
- Azure AI Video Indexer
- Azure Chaos Studio
To defend towards assaults making the most of this challenge, Tenable advises Azure prospects so as to add further authentication and authorization layers on prime of community controls primarily based on Service Tags to guard their belongings from publicity.
The corporate provides that Azure customers ought to assume that belongings in affected companies are publicly uncovered if they don’t seem to be adequately secured.
“When configuring Azure services’ network rules, bear in mind that Service Tags are not a watertight way to secure traffic to your private service,” Matan added.
“By ensuring that strong network authentication is maintained, users can defend themselves with an additional and crucial layer of security.”
Microsoft disagrees
Nonetheless, Microsoft disagrees with Tenable’s evaluation that that is an Azure vulnerability, saying that Azure Service Tags weren’t meant as a safety boundary, regardless that that was not clear of their unique documentation.
“Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls,” Microsoft mentioned.
“Service tags are not a comprehensive way to secure traffic to a customer’s origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests.”
The corporate says further authorization and authentication checks are required for a layered community safety method to guard prospects’ Azure service endpoints from unauthorized entry makes an attempt.
Redmond added that its safety staff or third events are but to search out proof of exploitation or abuse of service tags in assaults.
