Microsoft warns of Azure Service Tags misuse risk, exposing systems to unauthorized access
Take action: The advisory is quite complex and requires focused reading. But for those that don't have too much time, the essence is that you should not trust Azure Service Tags to provide you with enough security and isolation to your services. Always implement authentication and other security measures while using Azure Service Tags.
Learn More
Microsoft has issued a security warning regarding a potential vulnerability in Azure Service Tags, which could enable malicious actors to bypass security measures and gain unauthorized access to cloud resources.
The vulnerability was initially discovered by Tenable and reported to Microsoft in January 2024: Azure Service Tags are supposed simplify the management of firewall rules by grouping IP addresses associated with specific Azure services. A security issue arises when certain Azure services use Service Tags to allow incoming traffic based solely on the matching tag. These services also provide features that allow users to control parts of a web request, which can be exploited.
A malicious actor in one tenant (Tenant A) could exploit weak configurations to impersonate a trusted Azure service, thereby bypassing security measures in another tenant (Tenant B). This could lead to unauthorized access to web resources in Tenant B, particularly if those resources lack additional authentication checks.
Tenable researcher Liv Matan explains, "When a service grants users the option to control server-side requests, and the service is associated with Azure Service Tags, things can get risky if the customer does not have additional layers of protection. This vulnerability enables an attacker to control server-side requests, thus impersonating trusted Azure services. This enables the attacker to bypass network controls based on Service Tags, which are often used to prevent public access to Azure customers' internal assets, data, and services."
Tenable has identified ten specific Azure services susceptible to this vulnerability:
- Azure DevOps
- Azure Machine Learning
- Azure Logic Apps
- Azure Container Registry
- Azure Load Testing
- Azure API Management
- Azure Data Factory
- Azure Action Group
- Azure AI Video Indexer
- Azure Chaos Studio
While Microsoft has not identified any real-world instances of this exploit, they have updated their documentation to emphasize that Service Tags alone are not sufficient for robust security. The Microsoft Security Response Center (MSRC) advises users to review their Service Tag configurations and implement additional security measures, such as authentication protocols, to ensure only authorized traffic can access their resources.
"This case does highlight an inherent risk in using service tags as a single mechanism for vetting incoming network traffic," MSRC states. "Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls. Service tags are not a comprehensive way to secure traffic to a customer's origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests."
Users should review service tag configurations and ensure that configurations are secure and do not rely solely on Service Tags for security. They should also implement additional security measures like authentication protocols and other layers of security to safeguard resources.
