Microsoft is warning about the potential abuse of Azure Service Tags by malicious actors to forge requests from a trusted service and get around firewall rules, thereby allowing them to gain unauthorized access to cloud resources.
“This case does highlight an inherent risk in using service tags as a single mechanism for vetting incoming network traffic,” the Microsoft Security Response Center (MSRC) said in a guidance issued last week.
“Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls. Service tags are not a comprehensive way to secure traffic to a customer’s origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests.”
The statement comes in response to findings from cybersecurity firm Tenable, which found that Azure customers whose firewall rules rely on Azure Service Tags could be bypassed. There is no evidence that the feature has been exploited in the wild.
The problem, at its core, stems from the fact that some of the Azure services allow inbound traffic via a service tag, potentially allowing an attacker in one tenant to send specially crafted web requests to access resources in another, assuming it has been configured to allow traffic from the service tag and does not perform any authentication of its own.
At 10 Azure services have been found vulnerable: Azure Application Insights, Azure DevOps, Azure Machine Learning, Azure Logic Apps, Azure Container Registry, Azure Load Testing, Azure API Management, Azure Data Factory, Azure Action Group, Azure AI Video Indexer, and Azure Chaos Studio.
“This vulnerability enables an attacker to control server-side requests, thus impersonating trusted Azure services,” Tenable researcher Liv Matan said. “This enables the attacker to bypass network controls based on Service Tags, which are often used to prevent public access to Azure customers’ internal assets, data, and services.”
In response to the disclosure in late January 2024, Microsoft has updated the documentation to explicitly note that “Service Tags alone aren’t sufficient to secure traffic without considering the nature of the service and the traffic it sends.”
It’s also recommended that customers review their use of service tags and ensure they have adopted adequate security guardrails to authenticate only trusted network traffic for service tags.
