Microsoft has no plans to fix a high-severity Azure vulnerability that could allow an attacker to bypass firewall rules based on Azure Service Tags, according to a report with Tenable’s cloud research team.

This vulnerability enables an attacker to control server-side forge requests, thus impersonating trusted Azure services. This enables the attacker to bypass network controls based on Service Tags, which end up used to prevent public access to Azure customers’ internal assets, data and services.

The issue ended up discovered in the Azure Application Insights service, but researchers found it impacts at least ten others, including:

  • Azure Application Insights
  • Azure DevOps
  • Azure Machine Learning
  • Azure Logic Apps
  • Azure Container Registry
  • Azure Load Testing
  • Azure API Management
  • Azure Data Factory
  • Azure Action Group
  • Azure AI Video Indexer
  • Azure Chaos Studio

The vulnerability allows a malicious attacker to bypass firewall rules based on Azure Service Tags by forging requests from trusted services. A threat actor could exploit Service Tags allowed through a user’s firewall if there are no additional validation controls. By exploiting this vulnerability, an attacker could gain access to an organization’s Azure service and any related sensitive data.

As of May 22, Microsoft said it does not plan to issue a patch for this vulnerability.

Schneider Bold

To address the issue, Microsoft created centralized documentation to inform users about usage patterns for service tags.

Each service requires different actions to mitigate the issue, so Tenable recommends users:

  • Analyze the network rules in Azure environments on each associated service, search for the use of Service Tags, and filter the affected services. Users should assume assets in affected services are publicly facing.
  • Add authentication and authorization layers on top of the network controls administered using service tags to protect assets from exploitation. By ensuring that strong network authentication is maintained, users can defend themselves with an additional and crucial layer of security.

Pin It on Pinterest

Share This