Summary
Tenable Research discovered a vulnerability in Azure allowing attackers to bypass firewall rules based on Service Tags by forging requests from trusted services. It affects over 10 Azure services and enables access to internal/private Azure resources. Microsoft updated documentation to clarify Service Tags' security limitations.
Affected Services
Application Insights, DevOps, Machine Learning, Logic Apps, Container Registry, Load Testing, API Management, Data Factory, Action Group, AI Video Indexer, Chaos Studio
Remediation
Analyze network rules for Service Tag usage. Add authentication and authorization layers to affected assets. Implement strong network authentication when configuring Azure services' network rules.
Tracked CVEs
No tracked CVEs
References
https://www.tenable.com/blog/these-services-shall-not-pass-abusing-service-tags-to-bypass-azure-firewall-rules-customerhttps://msrc.microsoft.com/blog/2024/06/improved-guidance-for-azure-network-service-tags/
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
Wed, Jan 24th, 2024
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
Search for use of affected Service Tags in network rules. Monitor for unexpected traffic from Azure services to internal resources. Review authentication logs for suspicious access attempts.
Piercing Index Rating
-
Discovered by
Liv Matan, Tenable
