Microsoft warns of potential Azure Service Tags misuse by hackers

Ten specific Azure services are currently identified as susceptible

Image:

Microsoft warns of potential Azure Service Tags misuse by hackers

Microsoft has issued a security warning regarding a potential vulnerability in Azure Service Tags, stating that the bug could allow malicious actors to bypass security measures and gain unauthorised access to cloud resources.

Tenable first discovered the vulnerability and reported it to Microsoft in January 2024.

Azure Service Tags offer a handy way to manage firewall rules by grouping IP addresses associated with specific Azure services. This simplifies security policies for resources, allowing them to easily specify which services can access them.

However, a potential security concern exists with certain Azure services that leverage Service Tags. These services might allow incoming traffic based solely on the matching Service Tag, and also offer features that grant users control over parts of a web request.

This creates a scenario where a malicious actor in one tenant (Tenant A) could potentially exploit weak configurations and impersonate a trusted Azure service, bypassing security measures in another tenant (Tenant B).

This could grant attackers unauthorised access to web resources in Tenant B, especially if those resources lack additional authentication checks.

"When a service grants users the option to control server-side requests, and the service is associated with Azure Service Tags, things can get risky if the customer does not have additional layers of protection," explained Tenable researcher Liv Matan.

"This vulnerability enables an attacker to control server-side requests, thus impersonating trusted Azure services. This enables the attacker to bypass network controls based on Service Tags, which are often used to prevent public access to Azure customers' internal assets, data, and services."

Ten specific Azure services are currently identified as susceptible, according to Tenable. They are:

Azure DevOps
Azure Machine Learning
Azure Logic Apps
Azure Container Registry
Azure Load Testing
Azure API Management
Azure Data Factory
Azure Action Group
Azure AI Video Indexer
Azure Chaos Studio

While Microsoft hasn't identified any real-world instances of this exploit, they have updated their documentation to clearly state that Service Tags alone are insufficient for robust security.

"This case does highlight an inherent risk in using service tags as a single mechanism for vetting incoming network traffic," the Microsoft Security Response Center (MSRC) says in its guidance.

"Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls. Service tags are not a comprehensive way to secure traffic to a customer's origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests."

MSRC advises users to review their Service Tag configurations and implement additional security measures, such as authentication protocols, to ensure only authorised traffic can access their resources.

"Azure customers are highly encouraged to review their use of Microsoft virtual network service tags and evaluate if additional measures must be put in place to secure network traffic between Azure tenants."

"As always, we strongly encourage customers to use multiple layers of security for their resources, such as monitoring network traffic and authentication."