Security researchers at Tenable discovered what they describe as a high-severity vulnerability in Azure Service Tag that could allow attackers to access customers' private data.
Service Tags are groups of IP addresses for a specific Azure service used for firewall filtering and IP-based Access Control Lists when network isolation is needed to safeguard Azure resources.
This is achieved by blocking incoming or outgoing Internet traffic and only allowing Azure service traffic.
Tenable's Liv Matan explained that threat actors can use the vulnerability to craft malicious SSRF-like web requests to impersonate trusted Azure services and bypass firewall rules based on Azure Service Tags, often used to secure Azure services and sensitive data without authentication checks.
This can be achieved by abusing the Application Insights Availability service's availability tests feature, which grants attackers the ability to add custom headers, modify methods, and customize their HTTP requests as needed.
Matan has shared more technical information in his report on abusing custom headers and Azure Service Tags to access internal APIs that are not normally exposed.
While discovered in the Azure Application Insights service, Tenable researchers found that it impacts at least ten others.
To defend against attacks taking advantage of this issue, Tenable advises Azure customers to add additional authentication and authorization layers on top of network controls based on Service Tags to protect their assets from exposure.
The company adds that Azure users should assume that assets in affected services are publicly exposed if they are not adequately secured.
Microsoft disagrees with Tenable's assessment that this is an Azure vulnerability, saying that Azure Service Tags were not meant as a security boundary, even though that was not clear in their original documentation.
The company says additional authorization and authentication checks are required for a layered network security approach to protect customers' Azure service endpoints from unauthorized access attempts.
Redmond added that its security team or third parties are yet to find evidence of exploitation or abuse of service tags in attacks.
Exploit for critical Progress Telerik auth bypass released, patch now.
CISA warns of actively exploited Linux privilege elevation flaw.
Check Point releases emergency fix for VPN zero-day exploited in attacks.
TP-Link fixes critical RCE bug in popular C5400X gaming router.
GitHub warns of SAML auth bypass flaw in Enterprise Server.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 26 Jun 2024 19:14:03 +0000