Tenable discovered an issue with Microsoft’s Azure Network service tags that the vendor described as a vulnerability, but Microsoft pushed on that description.
Tenable and Microsoft jointly disclosed the security issue Monday, which Tenable described as a high-severity vulnerability. According to a blog post from Tenable senior security research Liv Matan, the issue enables an attacker to “bypass firewall rules based on Azure service tags by forging requests from trusted services.” Azure service tags are rules used to group specific IP ranges as a streamlined way to establish basic access controls. However, service tags alone are not an end-all-be-all access security solution.
In explaining the issue, Matan said that although multiple services in Azure, by design, can allow users and customers to craft and modify web requests, it can be exploited by attackers without additional security countermeasures.
“This functionality may open the door for a malicious actor to achieve an impact similar to that of a server-side request forgery (SSRF) vulnerability,” Matan wrote in the blog post. “When a service grants users the option to control server-side requests, and the service is associated with Azure Service Tags, things can get risky if the customer does not have additional layers of protection.”
Microsoft, however, apparently disagrees with calling it a vulnerability. In its own advisory, the company offered “improved guidance” for customers as a mitigation.
“Microsoft acknowledged that Tenable provided a valuable contribution to the Azure community by highlighting that it can be easily misunderstood how to use service tags and their intended purpose,” the advisory read. “Although Microsoft initially confirmed the vulnerability and paid Tenable a bounty for their contributions, further investigation into Tenable’s report determined that service tags work as designed and best practices needed to be clearly communicated through service documentation as we had communicated in our follow-up correspondence with Tenable.”
The tech giant’s position was that although cross-tenant exploitation is possible in Azure environments without additional access controls, Tenable’s reporting highlights the risk in using service tags as a sole mechanism for authenticating network traffic.
“Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls,” Microsoft said. “No exploitation or abuse of service tags has been reported by a third-party or seen in the wild per our own investigation.”
Microsoft advised that customers review Azure security and best practices documentation and are “highly encouraged to review their use of Microsoft virtual network service tags and evaluate if additional measures must be put in place to secure network traffic between Azure tenants.”
Tenable said Azure customers should analyze network rules for each service, identify where service tags are used, and add authentication and authorization layers.
“When configuring Azure services’ network rules, bear in mind that Service Tags are not a watertight way to secure traffic to your private service. By ensuring that strong network authentication is maintained, users can defend themselves with an additional and crucial layer of security,” Matan wrote in the blog post. “In that case, even an attacker leveraging the vulnerability to reach the target endpoint would have great trouble exploiting that access.”
TechTarget Editorial contacted Microsoft and Tenable for additional comment.
Tenable and Microsoft have been at odds in recent years over Microsoft’s handling of security issues. Last June for example, Tenable CEO Amit Yoran slammed Microsoft for silently patching and allegedly downplaying serious flaw involving Azure Synapse Analytics that Tenable to the tech giant that March. In a LinkedIn post made at the time, he called this a “repeated pattern of behavior.”
Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.
This post was originally published on the 3rd party site mentioned in the title of this this site