Microsoft is warning customers about the potential for an attacker to abuse the service tags feature in Azure to forge requests from a trusted service and bypass firewall rules, potentially gaining access to cloud resources without authorization.
The technique was discovered by researchers from Tenable, who reported it to MIcrosoft in January. MIcrosoft Security Response initially acknowledged it as a vulnerability and said the company would issue a patch, but later decided that a patch was not necessary and instead released updated guidance and documentation.
Service tags allow Azure customers to represent a certain block of IP space for Azure services. The tags often are used for network configuration tasks such as building firewall rules. The Tenable researchers found that by abusing service tags, an attacker could bypass firewall rules if there aren’t any other validation controls in place.
“This vulnerability enables an attacker to control server-side forge requests, thus impersonating trusted Azure services. This enables the attacker to bypass network controls based on Service Tags, which are often used to prevent public access to Azure customers’ internal assets, data and services,” Tenable said.
Microsoft stressed in its updated guidance that service tags are not meant to be a security control.
“Cross-tenant access is prevented by authentication and only represents an issue where authentication is not used. However, this case does highlight an inherent risk in using service tags as a single mechanism for vetting incoming network traffic. Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls. No exploitation or abuse of service tags has been reported by a third-party or seen in the wild per our own investigation,” Microsoft said in its guidance.
“Service tags are not a comprehensive way to secure traffic to a customer’s origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests. Input validation is used to assure where the traffic originates and who is sending the traffic. Additional authentication and authorization checks must be implemented for a layered network security approach.”
Both Microsoft and Tenable encouraged Azure customers to add authentication and authorization controls on top of any network controls based on service tags.