Microsoft Warns Of Potential Azure Service Tags Misuse

Ten specific Azure services are currently identified as susceptible

clock • 3 min read
Microsoft Warns Of Potential Azure Service Tags Misuse

Microsoft has issued a security warning regarding a potential vulnerability in Azure Service Tags, stating that the bug could allow malicious actors to bypass security measures and gain unauthorized access to cloud resources.

Tenable first discovered the vulnerability and reported it to Microsoft in January 2024.

Azure Service Tags offer a handy way to manage firewall rules by grouping IP addresses associated with specific Azure services. This simplifies security policies for resources, allowing them to easily specify which services can access them.

However, a potential security concern exists with certain Azure services that leverage Service Tags. These services might allow incoming traffic based solely on the matching Service Tag, and also offer features that grant users control over parts of a web request.

This creates a scenario where a malicious actor in one tenant (Tenant A) could potentially exploit weak configurations and impersonate a trusted Azure service, bypassing security measures in another tenant (Tenant B).

This could grant attackers unauthorized access to web resources in Tenant B, especially if those resources lack additional authentication checks.

"When a service grants users the option to control server-side requests, and the service is associated with Azure Service Tags, things can get risky if the customer does not have additional layers of protection," explained Tenable researcher Liv Matan.

"This vulnerability enables an attacker to control server-side requests, thus impersonating trusted Azure services. This enables the attacker to bypass network controls based on Service Tags, which are often used to prevent public access to Azure customers' internal assets, data, and services."

Ten specific Azure services are currently identified as susceptible, according to Tenable. They are:

  • Azure DevOps
  • Azure Machine Learning
  • Azure Logic Apps
  • Azure Container Registry
  • Azure Load Testing
  • Azure API Management
  • Azure Data Factory
  • Azure Action Group
  • Azure AI Video Indexer
  • Azure Chaos Studio

While Microsoft hasn't identified any real-world instances of this exploit, they have updated their documentation to clearly state that Service Tags alone are insufficient for robust security.

"This case does highlight an inherent risk in using service tags as a single mechanism for vetting incoming network traffic," the Microsoft Security Response Center (MSRC) says in its guidance.

"Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls. Service tags are not a comprehensive way to secure traffic to a customer's origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests."

MSRC advises users to review their Service Tag configurations and implement additional security measures, such as authentication protocols, to ensure only authorized traffic can access their resources.

"Azure customers are highly encouraged to review their use of Microsoft virtual network service tags and evaluate if additional measures must be put in place to secure network traffic between Azure tenants."

"As always, we strongly encourage customers to use multiple layers of security for their resources, such as monitoring network traffic and authentication."

This article originally appeared on our sister site, Computing.

You may also like
The 2024 MES Midmarket 100: Top Companies Serving The Midmarket

MES Research

MES Computing is proud to present this year's list of the key vendors and service providers serving the midmarket.

clock 07-15-2024 • 1 hour 20 min read
Access Point: Weekly News Roundup For IT Executives – July 12, 2024

Column

Access Point is a weekly roundup of major tech news for IT executives on the go. This edition covers July 8-July 12.

clock 07-12-2024 • 1 min read
Mammoth Microsoft Patch Tuesday Fixes Four Zero-Days, Five Critical Bugs

Security

142 holes plugged this month

clock 07-12-2024 • 3 min read

More on Cloud Computing

Google Eyes HubSpot Acquisition To Challenge Microsoft

Google Eyes HubSpot Acquisition To Challenge Microsoft

Microsoft's Dynamics products dominate the modern CRM sector

clock 05-28-2024 • 3 min read
Celigo CEO Explains How iPaaS Helps Streamline Your Mission-Critical SaaS Apps

Celigo CEO Explains How iPaaS Helps Streamline Your Mission-Critical SaaS Apps

And why we are now in the age of "next-gen" IPaaS

Samara Lynn
clock 04-11-2024 • 6 min read
How Victoria's Secret is using AI to transform online shopping

How Victoria's Secret is using AI to transform online shopping

From retail to e-tail

Tom Allen
clock 04-08-2024 • 2 min read