Security researchers at Tenable have discovered what they describe as a high-severity vulnerability in Azure Service Tags that could allow attackers to access private user data.
Service labels are groups of IP addresses for a specific Azure service that are used for firewall filtering and IP-based access control lists (ACLs) when network isolation is required to protect Azure resources. This is done by blocking incoming or outgoing Internet traffic and allowing only Azure service traffic.
Tenable’s Liv Matan explained that threat actors could use the vulnerability to make malicious SSRF-like web requests to impersonate trusted Azure services and bypass firewall rules based on Azure Service Tags, which are often used to secure Azure services and sensitive data without authentication .
«This is a high-severity vulnerability that could allow an attacker to access Azure users’ private data,» Matan said.
Attackers can exploit the «availability test» feature in the «classic test» or «standard test» functionality, which allows them to access internal services and potentially expose internal APIs hosted on ports 80/443.
This can be achieved by abusing the Availability Testing feature of Application Insights Availability, which gives attackers the ability to add custom headers, modify methods, and adjust their HTTP requests as needed.
Matan shared more technical information in his report on the misuse of custom headers and Azure Service Tags to access internal APIs that are not otherwise exposed.
«Since Microsoft does not plan to release a patch for this vulnerability, all Azure users are at risk. We strongly recommend users to immediately review the centralized documentation issued by MSRC and follow the guidelines thoroughly.»
Although discovered in Azure Application Insights, Tenable researchers found that it affects at least ten others. The full list includes:
- Azure DevOps
- Azure Machine Learning
- Azure Logic Apps
- Azure Container Registry
- Azure load testing
- Azure API Management
- Azure data factory
- Azure Action Group
- Azure AI Video Indexer
- Azure Chaos Studio
To defend against attacks that exploit this issue, Tenable advises Azure customers to add additional layers of authentication and authorization on top of Service Label-based network controls to protect their assets from exposure.
The company adds that Azure customers should assume assets in affected services are publicly exposed if they are not adequately secured.
«When configuring network policies for Azure services, keep in mind that service labels are not a watertight way to secure traffic to your private service,» Matan added.
«By ensuring that strong network authentication is maintained, users can defend themselves with an additional and crucial layer of security.»
Microsoft disagrees
However, Microsoft disagrees with Tenable’s assessment that this is an Azure vulnerability, saying that Azure Service Tags are not intended as a security boundary, even though their original documentation did not make that clear.
«Service tags should not be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls,» Microsoft said.
«Service tags are not a comprehensive way to secure traffic to the user’s origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests.»
The company says additional authorization and authentication checks are required to access layered network security to protect Azure service endpoints from unauthorized access attempts.
Redmond added that his security team or third parties have yet to find evidence of service tags being exploited or misused in attacks.