Tenable warns of vulnerability in Azure service tags

Tenable discovered an issue with Microsoft's Azure Network service tags that the vendor described as a vulnerability, but Microsoft pushed back on that description.

Tenable and Microsoft jointly disclosed the security issue Monday, which Tenable described as a high-severity vulnerability. According to a blog post from Tenable senior security research Liv Matan, the issue enables an attacker to "bypass firewall rules based on Azure service tags by forging requests from trusted services." Azure service tags are rules used to group specific IP ranges as a streamlined way to establish basic access controls. However, service tags alone are not an end-all-be-all access security solution.

In explaining the issue, Matan said that although multiple services in Azure, by design, can allow users and customers to craft and modify web requests, it can be exploited by attackers without additional security countermeasures.

"This functionality may open the door for a malicious actor to achieve an impact similar to that of a server-side request forgery (SSRF) vulnerability," Matan wrote in the blog post. "When a service grants users the option to control server-side requests, and the service is associated with Azure Service Tags, things can get risky if the customer does not have additional layers of protection."

Microsoft, however, apparently disagrees with calling it a vulnerability. In its own advisory, the company offered "improved guidance" for customers as a mitigation.

"Microsoft acknowledged that Tenable provided a valuable contribution to the Azure community by highlighting that it can be easily misunderstood how to use service tags and their intended purpose," the advisory read. "Although Microsoft initially confirmed the vulnerability and paid Tenable a bounty for their contributions, further investigation into Tenable's report determined that service tags work as designed and best practices needed to be clearly communicated through service documentation as we had communicated in our follow-up correspondence with Tenable."

The tech giant's position was that although cross-tenant exploitation is possible in Azure environments without additional access controls, Tenable's reporting highlights the risk in using service tags as a sole mechanism for authenticating network traffic.

"Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls," Microsoft said. "No exploitation or abuse of service tags has been reported by a third-party or seen in the wild per our own investigation."

Microsoft advised that customers review Azure security and best practices documentation and are "highly encouraged to review their use of Microsoft virtual network service tags and evaluate if additional measures must be put in place to secure network traffic between Azure tenants."

Tenable said Azure customers should analyze network rules for each service, identify where service tags are used, and add authentication and authorization layers.

"When configuring Azure services' network rules, bear in mind that Service Tags are not a watertight way to secure traffic to your private service. By ensuring that strong network authentication is maintained, users can defend themselves with an additional and crucial layer of security," Matan wrote in the blog post. "In that case, even an attacker leveraging the vulnerability to reach the target endpoint would have great trouble exploiting that access."

UPDATE: TechTarget Editorial asked Microsoft whether it considered the issue Tenable disclosed to be a vulnerability or not. The company declined to comment, though a company spokesperson shared the following statement:

"We appreciate the collaboration with Tenable to responsibly disclose the inherent risk in using service tags as a single mechanism for vetting secure network traffic," the spokesperson said. "We encourage customers take a multi-layered security approach when it comes to validating their security measures to authenticate only trusted network traffic for service tags. We strongly recommend customers proactively review their use of service tags as outlined within our blog."

Matan told TechTarget Editorial that regardless of how the issue is classified, it represents a gap that must be addressed to ensure user security. "Many customers are using Azure Service Tags to achieve network isolation," he said. "Our novel discovery exposed how attackers can breach that isolation and reach internal customer assets. From a security standpoint, addressing gaps -- whether it be a communication gap or a technology gap -- is crucial in ensuring users' security."

Tenable and Microsoft have been at odds in recent years over Microsoft's handling of security issues. Last June for example, Tenable CEO Amit Yoran slammed Microsoft for silently patching and allegedly downplaying a serious flaw involving Azure Synapse Analytics that Tenable reported to the tech giant that March. In a LinkedIn post made at the time, he called this a "repeated pattern of behavior."

This article was updated on 6/5/24.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.