​Security researchers at Tenable have discovered what they describe as a very serious vulnerability in Azure Service Tags that could allow attackers to access private customer data.
Service tags are pools of IP addresses for a specific Azure service that are used for firewall filtering and IP-based access control lists (ACLs) when network isolation is needed to secure Azure resources. This is achieved by blocking incoming or outgoing internet traffic and allowing only Azure service traffic.
Tenable’s Liv Matan explained that threat actors can use this vulnerability to create malicious SSRF-like web requests to impersonate trusted Azure services and bypass firewall rules based on Azure Service Tags, which are often used to secure Azure services and sensitive data without validation checks.
“This is a very serious vulnerability that could allow an attacker to access the private data of Azure customers,” Matan said.
Attackers can exploit the “availability test” feature in the “classic test” or “standard test” function, allowing them to access internal services and potentially expose internal APIs hosted on ports 80/443.
This can be achieved by exploiting the Availability Tests feature of Application Insights Availability, which gives attackers the ability to add custom headers, modify methods, and customize their HTTP requests as needed.
Matan shared more technical information in his report on abusing custom headers and Azure Service Tags to access internal APIs that are not normally exposed.
“Because Microsoft does not plan to release a fix for this vulnerability, all Azure customers are at risk. We strongly encourage customers to immediately review the centralized documentation issued by MSRC and follow the instructions closely.”
While researchers discovered Tenable in Azure Application Insights, they found that it affects at least ten others. The complete list includes:
- Azure DevOps
- Azure Machine Learning
- Azure Logic Apps
- Azure Container Registry
- Azure stress testing
- Azure API management
- Azure Data Factory
- Azure Action Group
- Azure AI Video Indexer
- Azure Chaos Studio
To defend against attacks exploiting this issue, Tenable advises Azure customers to add additional layers of authentication and authorization above service token-based network controls to protect their assets from exposure.
The company adds that Azure users should assume that assets in affected services are publicly exposed if they are not adequately secured.
“When configuring Azure service network rules, keep in mind that service tags are not a watertight way to secure the operation of your private service,” Matan added.
“By ensuring that strong network authentication is maintained, users can defend themselves with an additional and critical layer of security.”
Microsoft disagrees
However, Microsoft disagrees with Tenable’s assessment that this is an Azure vulnerability, saying that Azure Service Tags were not meant to be a security boundary, even though their original documentation did not make that clear.
“Service tags should not be considered a security boundary and should only be used as a routing mechanism in conjunction with authentication checks,” Microsoft said.
“Service tags are not a comprehensive way to secure traffic to the customer origin and are not a substitute for ingress authentication to prevent vulnerabilities that may be associated with web requests.”
The company says additional authorization and authentication checks are required to access the layered network security that protects customers’ Azure service endpoints from unauthorized access attempts.
Redmond added that his security team or third parties have not yet found evidence of abuse or misuse of service tags in the attacks.