Microsoft seems to have had a slight change of heart when it comes to the security risk its Azure Service Tags are posing.
While initially claiming the tool was never meant to be a security measure, the company is now warning users that there are scenarios in which Service Tags could be used to gain unauthorized access to cloud resources.
Microsoft did stress that such scenarios were not yet observed in the wild and that there is no evidence of abuse in the real world (yet).
Not a security boundary
Earlier in 2024, cybersecurity researchers from Tenable claimed Azure Service Tags were vulnerable to a flaw that could let threat actors steal people’s sensitive data. Service Tags is a feature that helps simplify network security management by allowing users to define network access controls based on logical groups of IP addresses rather than individual IP addresses. These service tags represent a group of IP address prefixes from specific Azure services, which can be used in security rules for network security groups (NSGs), user-defined routes (UDRs), and Azure Firewall.
Tenable said that the tool could be used to craft malicious SSRF-like web requests and thus pose as trusted Azure services. Hence, any firewall rules based on Azure Service Tags are rendered moot.
At the time, Microsoft stressed that Service Tags are “not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls.”
In an “Improved Guidance for Azure Network Service Tags” document, posted on the Microsoft website earlier this month, it doubled down on this assessment, but warned that some risk exists:
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“Microsoft Security Response Center (MSRC) was notified in January 2024 by our industry partner, Tenable Inc., about the potential for cross-tenant access to web resources using the service tags feature. Microsoft acknowledged that Tenable provided a valuable contribution to the Azure community by highlighting that it can be easily misunderstood how to use service tags and their intended purpose,” Microsoft said.
“Cross-tenant access is prevented by authentication and only represents an issue where authentication is not used. However, this case does highlight an inherent risk in using service tags as a single mechanism for vetting incoming network traffic.”
The goal of the Improved Guidance, Redmond added, was to help businesses better understand service tags and how they function, and not to warn about any flaws in the design:
“As always, we strongly encourage customers to use multiple layers of security for their resources,” Microsoft stressed. “There is no mandatory action required by customers and no additional messaging provided in the Azure Portal. However, Microsoft strongly recommends that customers proactively review their use of service tags and validate their security measures to authenticate only trusted network traffic for service tags.”
Microsoft has a different opinion – Security researcher says Azure Tags are security threat
Azure Tags were never meant to be a security boundary, Microsoft says.
Azure Service Tags is vulnerable to a flaw that could let threat actors steal people’s sensitive data, some researchers have claimed – however Microsoft begs to differ.
Azure Service Tags is a feature in Microsoft Azure that helps simplify network security management by allowing users to define network access controls based on logical groups of IP addresses rather than individual IP addresses. These service tags represent a group of IP address prefixes from specific Azure services, which can be used in security rules for network security groups (NSGs), user-defined routes (UDRs), and Azure Firewall.
In a recent report, security researchers from Tenable said hackers can abuse the flaw to craft malicious SSRF-like web requests and thus pose as trusted Azure services. Hence, any firewall rules based on Azure Service Tags are rendered moot.
Routing mechanism
“This is a high severity vulnerability that could allow an attacker to access Azure customers’ private data,” Tenable’s Liv Matan wrote.
Explaining where the vulnerability stems from, Matan said that the Application Insights Availability feature allows users to create availability tests for their application or machine. Attackers can abuse the “availability test” of the “classic test” or a “standard test” functionality to expose internal APIs hosted on ports 80/443, which usually host web assets.
“Since Microsoft does not plan to issue a patch for this vulnerability, all Azure customers are at risk. We highly recommend customers immediately review the centralized documentation issued by MSRC and follow the guidelines thoroughly.”
Besides the Azure Application Insights service, ten other services were found to be vulnerable as well, Tenable said, including Azure DevOps, Azure Machine Learning, Azure Logic Apps, Azure Container Registry, Azure Load Testing, Azure API Management, Azure Data Factory, Azure Action Group, Azure AI Video Indexer, and Azure Chaos Studio.
Microsoft, on the other hand, says Azure Service Tags were never meant to be a security measure, BleepingComputer reported.
“Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls,” Microsoft said.
“Service tags are not a comprehensive way to secure traffic to a customer’s origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests.”
We also featured an article explaining How CISOs Can Drive Cybersecurity Accountability for Security Posture.
