Security News > 2024 > June > Azure Service Tags tagged as security risk, Microsoft disagrees
Security researchers at Tenable discovered what they describe as a high-severity vulnerability in Azure Service Tag that could allow attackers to access customers' private data.
Service Tags are groups of IP addresses for a specific Azure service used for firewall filtering and IP-based Access Control Lists when network isolation is needed to safeguard Azure resources.
Tenable's Liv Matan explained that threat actors can use the vulnerability to craft malicious SSRF-like web requests to impersonate trusted Azure services and bypass firewall rules based on Azure Service Tags, often used to secure Azure services and sensitive data without authentication checks.
Matan has shared more technical information in his report on abusing custom headers and Azure Service Tags to access internal APIs that are not normally exposed.
Microsoft disagrees with Tenable's assessment that this is an Azure vulnerability, saying that Azure Service Tags were not meant as a security boundary, even though that was not clear in their original documentation.
The company says additional authorization and authentication checks are required for a layered network security approach to protect customers' Azure service endpoints from unauthorized access attempts.
News URL
Related news
- Microsoft's Brad Smith summoned by Homeland Security committee over 'cascade' of infosec failures (source)
- It's Time to Master the Lift & Shift: Migrating from VMware vSphere to Microsoft Azure (source)
- Microsoft to start enforcing Azure multi-factor authentication in July (source)
- Google takes shots at Microsoft for shoddy security record with enterprise apps (source)
- Microsoft paid Tenable a bug bounty for an Azure flaw it says doesn't need a fix, just better documentation (source)
- Microsoft shows venerable and vulnerable NTLM security protocol the door (source)
- Azure Service Tags Vulnerability: Microsoft Warns of Potential Abuse by Hackers (source)
- Microsoft delays Windows Recall amid privacy and security concerns (source)
- Microsoft Delays AI-Powered Recall Feature for Copilot+ PCs Amid Security Concerns (source)
- Microsoft delays Windows Recall rollout, more security testing needed (source)