Microsoft has issued a caution regarding the possible exploitation of Azure Service Tags by malicious actors. These perpetrators could craft requests that appear to originate from a trusted service, thus circumventing firewall rules and gaining unauthorized access to cloud resources.
“This scenario underscores the inherent risks associated with relying solely on service tags for vetting incoming network traffic,” the Microsoft Security Response Center (MSRC) stated in guidance released last week.
“Service tags should not be considered a security boundary. They should be used primarily as a routing mechanism, complemented by validation controls. Service tags alone do not provide a comprehensive security solution for traffic to a customer’s origin and should not replace input validation necessary to prevent vulnerabilities in web requests.”
This advisory follows discoveries by cybersecurity firm Tenable, which identified that Azure customers relying on Azure Service Tags for firewall rules could be vulnerable to bypass attacks. There is currently no evidence that this vulnerability has been exploited in the wild.
The core issue arises from certain Azure services allowing inbound traffic through a service tag, potentially enabling an attacker in one tenant to send specially crafted web requests to access resources in another. This is possible if the target is configured to allow traffic from the service tag and lacks its own authentication measures.
Ten Azure services have been identified as vulnerable: Azure Application Insights, Azure DevOps, Azure Machine Learning, Azure Logic Apps, Azure Container Registry, Azure Load Testing, Azure API Management, Azure Data Factory, Azure Action Group, Azure AI Video Indexer, and Azure Chaos Studio.
“This vulnerability permits an attacker to control server-side requests, thereby impersonating trusted Azure services,” explained Tenable researcher Liv Matan. “This allows the attacker to circumvent network controls based on Service Tags, often employed to prevent public access to Azure customers’ internal assets, data, and services.”
In response to the disclosure in late January 2024, Microsoft has updated its documentation to emphasize that “Service Tags alone are insufficient to secure traffic without considering the nature of the service and the traffic it transmits.”
Customers are advised to review their use of service tags and ensure they have implemented robust security measures to authenticate only trusted network traffic for service tags.
