Security researchers at Tenable have uncovered a high-severity vulnerability in Azure Service Tags, which could allow attackers to access private data of customers. Azure Service Tags are collections of IP addresses for specific Azure services, used in firewall filtering and IP-based Access Control Lists (ACLs) to ensure network isolation and secure Azure resources. This flaw can enable threat actors to create malicious SSRF-like web requests, impersonating trusted Azure services to bypass firewall rules typically relied upon to protect sensitive data.
Tenable’s Liv Matan highlighted that attackers could exploit the “availability test” feature within the “classic test” or “standard test” functionalities to gain access to internal services and potentially expose internal APIs hosted on ports 80/443. By abusing the Application Insights Availability service’s tests feature, attackers can customize HTTP requests, add custom headers, and modify methods, increasing the threat to internal services. Despite the severity, Microsoft has no plans to issue a patch for this vulnerability, prompting a call for immediate action from Azure customers to review and follow the guidelines provided by MSRC.
The vulnerability’s impact extends beyond Application Insights, affecting at least ten other Azure services such as Azure DevOps, Azure Machine Learning, and Azure Logic Apps. To defend against potential attacks, Tenable recommends Azure customers implement additional authentication and authorization layers on top of the existing network controls based on Service Tags. This approach aims to safeguard assets from exposure, as relying solely on Service Tags for security is inadequate.
Microsoft, however, disagrees with Tenable’s characterization of the issue, stating that Azure Service Tags were not intended to be a security boundary but rather a routing mechanism alongside validation controls. They emphasized that Service Tags alone cannot secure traffic to a customer’s origin and do not replace the need for input validation to prevent web request vulnerabilities. Microsoft advises customers to adopt a layered network security approach, incorporating additional authorization and authentication checks to protect Azure service endpoints from unauthorized access.
