Tenable Research has uncovered a significant vulnerability in Microsoft Azure that allows malicious attackers to bypass firewall rules by forging requests from trusted services.
The timeline of the disclosure process is as follows:January 24, 2024 : Tenable discloses the vulnerability to Microsoft.
January 31, 2024 : MSRC confirms the reported behavior and awards a bounty.
February 26, 2024 : MSRC decided to address the issue via a comprehensive documentation update and addressed more vulnerability variants.
This vulnerability highlights the importance of robust security measures and the need for continuous monitoring and updating of security protocols.
Tenable Research has uncovered a significant vulnerability in Microsoft Azure that allows malicious attackers to bypass firewall rules by forging requests from trusted services.
This vulnerability affects several Azure services, including:
Azure Application Insights
Azure DevOps
Azure Machine Learning
Azure Logic Apps
Azure Container Registry
Azure Load Testing
Azure API Management
Azure Data Factory
Azure Action Group
Azure AI Video Indexer
Azure Chaos Studio
Severity and Impact
Tenable Research has classified this vulnerability as a Security Feature Bypass issue.
Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo
While the Common Vulnerability Scoring System (CVSS) is typically used to measure the severity of vulnerabilities, Tenable suggests a severity rating of High for this issue due to its impact on data integrity and confidentiality.
Microsoft Security Response Center (MSRC) has acknowledged the issue as an Elevation of Privilege with a severity rating of Important and has awarded a bounty for its discovery.
Solution and Recommendations
Microsoft has opted to address the issue by creating centralized documentation to inform customers about usage patterns for service tags. However, the vulnerable behavior still exists in customer environments.
Users are advised to add authentication and authorization layers to defend their assets on top of the network controls administered using service tags.
The timeline of the disclosure process is as follows:
January 24, 2024 : Tenable discloses the vulnerability to Microsoft. Automated acknowledgment received.
: Tenable discloses the vulnerability to Microsoft. Automated acknowledgment received. January 31, 2024 : MSRC confirms the reported behavior and awards a bounty.
: MSRC confirms the reported behavior and awards a bounty. February 2, 2024 : MSRC devises a comprehensive fix plan and an implementation timeline.
: MSRC devises a comprehensive fix plan and an implementation timeline. February 26, 2024 : MSRC decided to address the issue via a comprehensive documentation update and addressed more vulnerability variants.
: MSRC decided to address the issue via a comprehensive documentation update and addressed more vulnerability variants. March 6, 2024 : Coordinated disclosure in May is agreed upon.
: Coordinated disclosure in May is agreed upon. April 30, 2024 : Tenable provides a blog draft to MSRC.
: Tenable provides a blog draft to MSRC. April 30 – May 10, 2024 : Tenable coordinates with MSRC to incorporate technical comments.
: Tenable coordinates with MSRC to incorporate technical comments. June 3, 2024: Coordinated disclosure.
This vulnerability highlights the importance of robust security measures and the need for continuous monitoring and updating of security protocols.
Users of the affected Azure services should take immediate action to implement additional authentication and authorization layers to protect their assets.