Tenable recently identified a notable security issue within Microsoft's Azure Network service tags. While Tenable classified this as a high-severity vulnerability, Microsoft disagreed with this classification. Despite their differences, both companies jointly disclosed the security issue on Monday.
What is Azure?
Azure is Microsoft's comprehensive public cloud platform, offering over 200 services. These include Platform as a Service (PaaS) for application development and operation, Infrastructure as a Service (IaaS) for virtual machines, networking, and storage, and Managed Database Services for simplified database management. Azure supports developers, IT professionals, and business owners, providing the tools to build, run, and manage applications across multiple environments, including on-premises and edge locations. This flexibility and scalability make Azure adaptable to a wide range of organizational needs.
What is the Issue?
Azure service tags represent groups of IP addresses for various Azure services, streamlining the creation of access control rules. These tags can be used in firewall settings to permit traffic from specific Azure services. However, Tenable uncovered a serious flaw: attackers could potentially bypass firewall rules that rely exclusively on service tags by masquerading as trusted services.
Specific Vulnerability Scenario
The vulnerability arises under the following conditions:
Inbound traffic is permitted through a service tag.
Services allowing inbound traffic might let users control parts of web requests, such as the URL path or destination host.
An attacker in one tenant (Tenant A) could exploit this to access resources in another tenant (Tenant B) if the target allows traffic from the service tag and lacks additional authentication methods. For example, Azure Monitor Availability Tests use the ApplicationInsightsAvailability service tag for synthetic monitoring. A malicious user could exploit this setup to access endpoints in a different subscription.
What Customer Should do?
Reviewing and Strengthening Security Posture
Azure customers using service tags should reevaluate their network settings:
Recognize that relying solely on service tags does not fully secure traffic.
Implement additional authentication and authorization checks for enhanced security. Ensure appropriate security measures are in place to safeguard traffic between Azure tenants. Refer to Microsoft's updated best practices for service tags and specific service guidelines. Adhere to Azure security fundamentals to secure your Azure platform and infrastructure. Enable and configure suitable monitoring controls in Azure Monitor.
Example Mitigation Strategy
To protect against unauthorized traffic via the ApplicationInsightsAvailability service tag, customers can create a token and include it as an HTTP header in availability tests. Validate this HTTP header in incoming requests to authenticate traffic origins, rejecting any requests missing the custom header.
Microsoft’s Response and Mitigation
Following Tenable's report,
Conducted an extensive review and search for similar vulnerabilities.
Updated documentation for Azure services utilizing inbound service tags.
Released best practices for service tags to aid users in securing their environments more effectively.
This collaborative disclosure by Tenable and Microsoft underscores the importance for Azure customers to regularly review and enhance their network security configurations. Service tags should be integrated into a comprehensive security strategy that includes robust authentication and monitoring practices.
