
Microsoft is warning about the potential misuse of Azure service tags by malicious actors to generate requests from trusted services and bypass firewall rules, thereby allowing them to gain unauthorized access to cloud resources. Permission is granted.
Microsoft Security Response Center (MSRC) “This issue highlights an inherent vulnerability in the use of service tags as a sole mechanism for examining incoming network traffic.” said In a directive issued last week.
“Service tags should not be considered as a security boundary and should only be used as a routing mechanism in conjunction with authentication controls. Service tags are not a comprehensive method of securing traffic to a customer’s origin and Do not change input validation to prevent vulnerabilities that may be associated with web applications.”
The statement comes in response to findings from cybersecurity firm Tenable, which found that Azure users whose firewall rules rely on Azure service tags can be bypassed. There is no evidence that this feature has been exploited in the wild.
The problem, primarily, stems from the fact that some Azure services allow inbound traffic through service tags, potentially allowing an attacker from one tenant to access resources in another. Allows sending web requests, assuming it is configured. The service allows traffic from the tag and does not perform any authentication of its own.
10 services on Azure have been found to be vulnerable: Azure Application Insights, Azure DevOps, Azure Machine Learning, Azure Logic Apps, Azure Container Registry, Azure Load Testing, Azure API Management, Azure Data Factory, Azure Action Group, Azure AI Video Indexer, and Azure Chaos Studio.
“This vulnerability enables an attacker to control server-side requests, thereby impersonating trusted Azure services,” said Tenable researcher Liv Matan. said. “This enables an attacker to bypass network controls based on service tags, which are often used to prevent public access to Azure users’ internal assets, data and services.”
In response to this revelation in late January 2024, Microsoft update documents to clearly note that “service tags alone are not sufficient to secure traffic without considering the nature of the service and the traffic it sends.”
It is also recommended that users review their use of service tags and ensure that they have adopted appropriate security pitfalls for service tags to authenticate only trusted network traffic.