Security researcher says Azure Tags are security threat — but Microsoft disagrees

Azure Tags were never meant to be a security boundary, Microsoft says

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Azure Service Tags is vulnerable to a flaw that could let threat actors steal people’s sensitive data, some researchers have claimed - howeverMicrosoftbegs to differ.

Azure Service Tags is a feature in Microsoft Azure that helps simplify network security management by allowing users to define network access controls based on logical groups of IP addresses rather than individual IP addresses. These service tags represent a group of IP address prefixes from specific Azure services, which can be used in security rules for network security groups (NSGs), user-defined routes (UDRs), and Azure Firewall.

In a recentreport, security researchers from Tenable said hackers can abuse the flaw to craft malicious SSRF-like web requests and thus pose as trustedAzure services. Hence, any firewall rules based on Azure Service Tags are rendered moot.

Routing mechanism

“This is a high severity vulnerability that could allow an attacker to access Azure customers' private data,” Tenable’s Liv Matan wrote.

Explaining where the vulnerability stems from, Matan said that the Application Insights Availability feature allows users to create availability tests for their application or machine. Attackers can abuse the “availability test” of the “classic test” or a “standard test” functionality to expose internal APIs hosted on ports 80/443, which usually host web assets.

“Since Microsoft does not plan to issue a patch for this vulnerability, all Azure customers are at risk. We highly recommend customers immediately review the centralized documentation issued by MSRC and follow the guidelines thoroughly.”

Besides the Azure Application Insights service, ten other services were found to be vulnerable as well, Tenable said, including Azure DevOps, Azure Machine Learning, Azure Logic Apps, Azure Container Registry, Azure Load Testing, Azure API Management, Azure Data Factory, Azure Action Group, Azure AI Video Indexer, and Azure Chaos Studio.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Microsoft, on the other hand, says Azure Service Tags were never meant to be a security measure,BleepingComputerreported.

“Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls,” Microsoft said.

“Service tags are not a comprehensive way to secure traffic to a customer’s origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests.”

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)