Azure Service Tags are vulnerable to a flaw that could allow threat actors to steal people's sensitive data, some researchers have claimed; however, Microsoft disagrees.
Azure Service Tags is a feature of Microsoft Azure that helps simplify network security management by allowing users to define network access controls based on logical groups of IP addresses instead of individual IP addresses. These service tags represent a group of IP address prefixes for specific Azure services, which can be used in security rules for network security groups (NSG), user-defined routes (UDR), and Azure Firewall.
In a recent report, security researchers at Tenable said that hackers can abuse the flaw to create malicious web requests similar to SSRF to impersonate trusted Azure services. Therefore, any firewall rule based on Azure service tags becomes moot.
Routing mechanism
“This is a high severity vulnerability that could allow an attacker to access private Azure customer data,” Tenable's Liv Matan wrote.
Explaining where the vulnerability comes from, Matan said that Application Insights' availability feature allows users to create availability tests for their application or machine. Attackers can abuse the “availability test” of the “classic test” or a “standard test” functionality to expose internal APIs hosted on ports 80/443, which typically host web resources.
“As Microsoft does not plan to release a patch for this vulnerability, all Azure customers are at risk. We strongly recommend customers immediately review the centralized documentation issued by MSRC and follow the guidelines carefully.”
In addition to the Azure Application Insights service, ten other services were also found to be vulnerable, Tenable said, including Azure DevOps, Azure Machine Learning, Azure Logic Apps, Azure Container Registry, Azure Load Testing, Azure API Management, Azure Data Factory, Azure. Action Group, Azure AI Video Indexer and Azure Chaos Studio.
Microsoft, on the other hand, says Azure service tags were never meant to be a security measure. beepcomputer reported.
“Service tags should not be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation checks,” Microsoft said.
“Service tags are not a comprehensive way to protect traffic to a client's origin and are not a substitute for input validation to prevent vulnerabilities that may be associated with web requests.”
