Tenable security researchers found a high severity vulnerability in multiple Azure services that Microsoft has no plans to patch. The bug allows attackers to bypass Azure firewall rules using service tags. Microsoft claims it’s a client configuration issue and encourages customers to review security measures. Attackers can exploit the vulnerability to impersonate trusted Azure services and access internal APIs. The vulnerability affects more than 10 Azure services, putting all customers at risk. Liv Matan of Tenable encourages immediate action to mitigate the issue to prevent attackers from accessing internal assets and data. The vulnerability involves the abuse of service tags, allowing unauthorized access to resources with trusting security group rules. Azure users are advised to add additional validation checks to prevent attacks.
Jorge Lamarca of WithSecure explains that service tags are an alias for Microsoft IP ranges to simplify network ACL definitions. He highlights the importance of understanding the nature of incoming traffic and ensuring appropriate controls are in place. Tenable discovered an attack surface that many Azure users were unaware of, emphasizing the need for organizations to include it in their threat models and review control postures.
Microsoft downplayed the severity of the vulnerability after an investigation, claiming service tags work as designed and highlighting the importance of best practices and documentation. Tenable’s submission of the vulnerability earned a bug bounty, prompting Microsoft to conduct a comprehensive review to determine a mitigation strategy.
Tenable recommends Azure users to analyze networking rules, implement strong authentication and authorization measures, monitor network traffic, and refer to updated documentation from Microsoft to protect against the vulnerability.
In conclusion, the vulnerability in Azure services poses a significant risk to customers, allowing attackers to bypass firewall rules. Immediate action is advised to mitigate the issue by implementing additional security measures and following best practices. Microsoft has no plans to issue a patch, highlighting the importance of proactive security measures from users to prevent unauthorized access to internal assets and data.
Article Source
https://www.thestack.technology/azure-service-tags-risk-tenable/