Cloud Security , Security Operations

Microsoft Says Azure Cloud Attack Scenario Isn't a Flaw

Redmond Calls Tenable Report Evidence of Customers Misconstruing Azure Service Tags
Microsoft Says Azure Cloud Attack Scenario Isn't a Flaw
Tenable says it identified a cross-tenant attack in Azure. Microsoft said customers should authenticate service requests. (Image: Shutterstock)

Microsoft is calling security research asserting a high-severity vulnerability exists in Azure evidence that customers should better configure their cloud environments.

See Also: SASE Architecture For Dummies

Security firm Tenable on Monday published a blog post that details how attackers could bypass firewall rules based on Azure Service Tags. Service Tags group IP addresses used by Azure services, the better to allow firewall whitelisting for functions such as an availability test.

An attacker with an Azure instance - legitimately obtained or not - could obtain access to company resources by sending customizable HTTP requests to web applications through an Azure service that firewalls are configured to let through. The flaw exists in more than 10 Azure services including API management, Tenable found.

"The core of the issue is that it doesn't matter if it's me using my available test service or somebody setting up an availability test service - the traffic would still go through," said Noam Dahan, a Tenable research manager.

Microsoft said Monday it has not seen any such attacks in the wild or received reports of them.

Tenable and Microsoft each say that the computing giant responded to Tenable's disclosure of the attack proof of concept in January by awarding a bug bounty to the cybersecurity company.

But as it examined the issue in later months, Microsoft decided that Tenable had not in fact uncovered a server-side request forgery flaw or a firewall bypass vulnerability. Azure customers apparently are misunderstanding "how to use service tags and their intended purpose," the company wrote Monday.

"Service tags are not a comprehensive way to secure traffic to a customer’s origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests."

Rather, Tenable's findings highlight the need for authenticating web requests, the company concluded. "We encourage customers take a multi-layered security approach when it comes to validating their security measures to authenticate only trusted network traffic for service tags," a company spokesperson said in an emailed prepared statement.

Dahan told Information Security Media Group that Tenable still believes it uncovered a security vulnerability. Authentication will add another layer of security, he said, but it doesn't cure the underlying problem. "Authentication is a complete security discipline, where you can get some things right and get some things wrong. That is not something that customers will get right 100% of the time," he said.

There are potential limitations for attackers, Dahan said. Hackers would need to know or guess the target Azure domain. "In some cases, the URL being unknowable would make the attacker's life difficult, but that is not a security standard by itself," he said. That information could leak out - code repositories are notorious for exposing internal data that shouldn't be public - or hackers might simply deduce the domain.

Microsoft's advice to companies is to add authentication tokens to HTTPS headers.


About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.