Microsoft warns that malicious actors could abuse Azure service tags to forge requests that appear to be from trusted services and circumvent firewall rules to gain unauthorized access to cloud resources.
“This case highlights the inherent risks of using service tags as the sole mechanism for inspecting inbound network traffic,” the Microsoft Security Response Center (MSRC) said in guidance issued last week.
“Service tags should not be treated as a security boundary and should only be used as a routing mechanism in conjunction with validators. Service tags are not a comprehensive way to secure traffic to customer origins and are not a substitute for input validation to prevent vulnerabilities related to web requests.”
The statement follows findings from cybersecurity firm Tenable, which found that Azure customers using firewall rules that rely on Azure service tags could be bypassed, though there is no evidence that the feature has been exploited in the wild.
The root cause of this issue is that some Azure services allow inbound traffic via service tags, which can allow an attacker in one tenant to send a specially crafted web request to access resources in another tenant (assuming they are configured to allow traffic from service tags and are not performing their own authentication).
Vulnerabilities were found in 10 Azure services: Azure Application Insights, Azure DevOps, Azure Machine Learning, Azure Logic Apps, Azure Container Registry, Azure Load Testing, Azure API Management, Azure Data Factory, Azure Action Group, Azure AI Video Indexer, and Azure Chaos Studio.
“This vulnerability allows an attacker to control server-side requests and spoof trusted Azure services,” Tenable researcher Liv Matan said. “This allows an attacker to circumvent network controls based on service tags, which are often used to prevent public access to Azure customers’ internal assets, data, and services.”
Following the disclosure in late January 2024, Microsoft updated its documentation to explicitly state that “service tags alone are not sufficient to secure traffic without taking into account the nature of the service and the traffic it sends.”
We also recommend that you review your use of service tags to ensure that you have appropriate security guardrails in place to authenticate only trusted network traffic against service tags.
