Microsoft appears to have changed its mind slightly when it comes to the security risk posed by its Azure service tags.
While initially stating that the tool was never a security measure, the company is now warning users that there are scenarios in which service tags could be used to gain unauthorized access to cloud resources.
Microsoft emphasized that such scenarios have not yet been observed in the wild and that there is no evidence of real-world abuse (yet).
It is not a safety limit
In early 2024, cybersecurity researchers at Tenable stated that Azure service tags were vulnerable to a flaw that could allow threat actors to steal people's sensitive data. Service tags are a feature that helps simplify network security management by allowing users to define network access controls based on logical groups of IP addresses rather than individual IP addresses. These service tags represent a group of IP address prefixes for specific Azure services, which can be used in security rules for network security groups (NSG), user-defined routes (UDR), and Azure Firewall.
Tenable said the tool could be used to create malicious SSRF-like web requests to impersonate trusted Azure services. Therefore, any firewall rule based on Azure service tags becomes moot.
At the time, Microsoft emphasized that service tags “should not be treated as a security boundary and should only be used as a routing mechanism along with validation checks.”
In an “Enhanced Guide to Azure Network Service Tags” document, posted on Microsoft's website earlier this month, it doubled down on this assessment but warned that there is some risk:
“Our industry partner, Tenable Inc., notified the Microsoft Security Response Center (MSRC) in January 2024 about the potential for cross-tenant access to web resources using the service tags feature. “Microsoft recognized that Tenable provided a valuable contribution to the Azure community by highlighting that how to use service tags and their intended purpose can be easily misunderstood,” Microsoft said.
“Authentication prevents access between tenants and is only a problem when authentication is not used. However, this case highlights an inherent risk in using service tags as the sole mechanism for examining incoming network traffic.”
The goal of the Improved Guide, Redmond added, was to help companies better understand service tags and how they work, and not to warn about flaws in the design:
“As always, we strongly recommend customers use multiple layers of security for their resources,” Microsoft emphasized. “No mandatory action is required from customers and no additional messages are provided in the Azure Portal. However, Microsoft strongly recommends that customers proactively review their use of service tags and validate their security measures to authenticate only trusted network traffic for service tags.”
Via TheHackerNews
