Security researchers at Tenable discovered what they describe as a high-severity vulnerability in Azure Service Tags that could allow attackers to access customers’ private data.
Service Tags are groups of IP addresses for a specific Azure service used for firewall filtering and IP-based Access Control Lists (ACLs) when network isolation is needed to safeguard Azure resources. This is achieved by blocking incoming or outgoing Internet traffic and only allowing Azure service traffic.
Tenable’s Liv Matan explained that threat actors can use the vulnerability to craft malicious SSRF-like web requests to impersonate trusted Azure services and bypass firewall rules based on Azure Service Tags, often used to secure Azure services and sensitive data without authentication checks.
“This is a high severity vulnerability that could allow an attacker to access Azure customers’ private data,” Matan said.
Attackers can exploit the “availability test” feature in the “classic test” or “standard test” functionality, allowing them to access internal services and potentially expose internal APIs hosted on ports 80/443.
This can be achieved by abusing the Application Insights Availability service’s availability tests feature, which grants attackers the ability to add custom headers, modify methods, and customize their HTTP requests as needed.
Matan has shared more technical information in his report on abusing custom headers and Azure Service Tags to access internal APIs that are not normally exposed.
“Since Microsoft does not plan to issue a patch for this vulnerability, all Azure customers are at risk. We highly recommend customers immediately review the centralized documentation issued by MSRC and follow the guidelines thoroughly.”
While discovered in the Azure Application Insights service, Tenable researchers found that it impacts at least ten others. The complete list includes:
- Azure DevOps
- Azure Machine Learning
- Azure Logic Apps
- Azure Container Registry
- Azure Load Testing
- Azure API Management
- Azure Data Factory
- Azure Action Group
- Azure AI Video Indexer
- Azure Chaos Studio
To defend against attacks taking advantage of this issue, Tenable advises Azure customers to add additional authentication and authorization layers on top of network controls based on Service Tags to protect their assets from exposure.
The company adds that Azure users should assume that assets in affected services are publicly exposed if they are not adequately secured.
“When configuring Azure services’ network rules, bear in mind that Service Tags are not a watertight way to secure traffic to your private service,” Matan added.
“By ensuring that strong network authentication is maintained, users can defend themselves with an additional and crucial layer of security.”
Microsoft disagrees
However, Microsoft disagrees with Tenable’s assessment that this is an Azure vulnerability, saying that Azure Service Tags were not meant as a security boundary, even though that was not clear in their original documentation.
“Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls,” Microsoft said.
“Service tags are not a comprehensive way to secure traffic to a customer’s origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests.”
The company says additional authorization and authentication checks are required for a layered network security approach to protect customers’ Azure service endpoints from unauthorized access attempts.
Redmond added that its security team or third parties are yet to find evidence of exploitation or abuse of service tags in attacks.
