Microsoft appears to have had a bit of a change of heart when it comes to the security risk posed by Azure service tags.
While the company initially claimed that the tool was never intended as a security measure, the company is now warning users that there are scenarios in which service tags can be used to gain unauthorized access to cloud resources.
Microsoft did emphasize that such scenarios have not yet been observed in the wild and that there is no evidence of real-world abuse (yet).
No safety boundary
Earlier in 2024, cybersecurity researchers at Tenable claimed that Azure Service Tags were vulnerable to a flaw that allowed threat actors to steal people’s sensitive data. Service Tags is a feature that helps simplify network security management by allowing users to define network access controls based on logical groups of IP addresses instead of individual IP addresses. These service tags represent a group of IP address prefixes of specific Azure services, which can be used in security rules for network security groups (NSGs), user-defined routes (UDRs), and Azure Firewall.
Tenable said the tool can be used to make malicious SSRF-style web requests to impersonate trusted Azure services. Therefore, any firewall rules based on Azure service tags become moot.
Microsoft emphasized at the time that service tags “should not be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation checks.”
A document “Enhanced Guidance for Azure Network Service Tags,” posted to Microsoft’s website earlier this month, doubled down on this assessment, but warned that some risk exists:
“Microsoft Security Response Center (MSRC) was launched in January 2024 by our industry partner Tenable Inc. informed about the possibilities for cross-tenant access to web resources using the service tags feature. Microsoft recognized that Tenable has made a valuable contribution to the Azure community by highlighting that misunderstandings can easily exist about the use of service tags and their intended purpose,” Microsoft said.
“Cross-tenant access is prevented by authentication and only poses a problem where authentication is not used. However, this case highlights an inherent risk in using service tags as a single mechanism for controlling incoming network traffic.”
The purpose of the improved guidance, Redmond added, was to help companies better understand service tags and how they work, rather than to warn about possible flaws in the design:
“As always, we strongly encourage customers to use multiple layers of security for their resources,” Microsoft emphasizes. “There is no mandatory action required by customers and no additional messages are offered in the Azure Portal. However, Microsoft strongly encourages customers to proactively assess their use of service tags and validate their security measures to authenticate only trusted network traffic for service tags.”
Through The HackerNews