Azure Service Tags are vulnerable to a flaw that could allow threat actors to steal people’s sensitive data, some researchers claim, but Microsoft disagrees.
Azure Service Tags is a feature in Microsoft Azure that simplifies network security management by allowing users to define network access controls based on logical groups of IP addresses rather than individual IP addresses. These service tags represent a group of IP address prefixes of specific Azure services, which can be used in security rules for network security groups (NSGs), user-defined routes (UDRs), and Azure Firewall.
In a recent one reportSecurity researchers at Tenable say hackers can exploit the flaw to create malicious SSRF-like web requests to impersonate trusted Azure services. Therefore, any firewall rules based on Azure service tags become moot.
Routing mechanism
“This is a very serious vulnerability that could allow an attacker to access the private data of Azure customers,” Tenable’s Liv Matan wrote.
Explaining where the vulnerability comes from, Matan said the Application Insights Availability feature allows users to create availability tests for their application or machine. Attackers can abuse the ‘availability test’ of the ‘classic test’ or a ‘standard test’ functionality to expose internal APIs hosted on ports 80/443, which typically host web assets.
“As Microsoft does not plan to release a patch for this vulnerability, all Azure customers are at risk. We strongly encourage customers to immediately review MSRC’s centralized documentation and follow the guidance closely.”
In addition to the Azure Application Insights service, ten other services have also been found to be vulnerable, according to Tenable, including Azure DevOps, Azure Machine Learning, Azure Logic Apps, Azure Container Registry, Azure Load Testing, Azure API Management, Azure Data Factory, Azure Action Group, Azure AI Video Indexer and Azure Chaos Studio.
Microsoft, on the other hand, says that Azure Service Tags were never intended as a security measure. BleepingComputer reported.
“Service tags should not be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls,” Microsoft said.
“Service tags are not a comprehensive way to secure traffic to a customer’s origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests.”