Microsoft has issued a security warning regarding a potential vulnerability in Azure Service Tags, stating that the bug could allow malicious actors to bypass security measures and gain unauthorized access to cloud resources.
Tenable first discovered the vulnerability and reported it to Microsoft in January 2024.
Azure Service Tags offer a handy way to manage firewall rules by grouping IP addresses associated with specific Azure services. This simplifies security policies for resources, allowing them to easily specify which services can access them.
However, a potential security concern exists with certain Azure services that leverage Service Tags. These services might allow incoming traffic based solely on the matching Service Tag, and also offer features that grant users control over parts of a web request.
This creates a scenario where a malicious actor in one tenant (Tenant A) could potentially exploit weak configurations and impersonate a trusted Azure service, bypassing security measures in another tenant (Tenant B).
This could grant attackers unauthorized access to web resources in Tenant B, especially if those resources lack additional authentication checks.
"When a service grants users the option to control server-side requests, and the service is associated with Azure Service Tags, things can get risky if the customer does not have additional layers of protection," explained Tenable researcher Liv Matan.
"This vulnerability enables an attacker to control server-side requests, thus impersonating trusted Azure services. This enables the attacker to bypass network controls based on Service Tags, which are often used to prevent public access to Azure customers' internal assets, data, and services."
Ten specific Azure services are currently identified as susceptible, according to Tenable. They are:
- Azure DevOps
- Azure Machine Learning
- Azure Logic Apps
- Azure Container Registry
- Azure Load Testing
- Azure API Management
- Azure Data Factory
- Azure Action Group
- Azure AI Video Indexer
- Azure Chaos Studio
While Microsoft hasn't identified any real-world instances of this exploit, they have updated their documentation to clearly state that Service Tags alone are insufficient for robust security.
"This case does highlight an inherent risk in using service tags as a single mechanism for vetting incoming network traffic," the Microsoft Security Response Center (MSRC) says in its guidance.
"Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls. Service tags are not a comprehensive way to secure traffic to a customer's origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests."
MSRC advises users to review their Service Tag configurations and implement additional security measures, such as authentication protocols, to ensure only authorized traffic can access their resources.
"Azure customers are highly encouraged to review their use of Microsoft virtual network service tags and evaluate if additional measures must be put in place to secure network traffic between Azure tenants."
"As always, we strongly encourage customers to use multiple layers of security for their resources, such as monitoring network traffic and authentication."
This article originally appeared on our sister site, Computing.
