Summary
A vulnerability in Power Platform could lead to unauthorized access to Custom
Code functions used for custom connectors, thereby allowing cross-tenant information
disclosure of secrets or other sensitive information if these were embedded in a
Custom Code function. The issue occurred as a result of insufficient access control
to Azure Function hosts, which are launched as part of the creation and operation of
custom connectors in Microsoft’s Power Platform. An attacker who determined the
hostname of the Azure Function associated with the custom connector could interact
with the function without authentication. Microsoft fixed the issue by requiring Azure
Function keys for accessing the Function hosts and their HTTP trigger. An initial fix
was deployed (on June 7th, 2023), but customers using affected Custom Code in a "soft
deleted state" (part of a data recovery mechanism) remained vulnerable until a later
fix was applied (on August 2nd, 2023).
Affected Services
Power Platform
Remediation
None required
Tracked CVEs
No tracked CVEs
References
https://msrc.microsoft.com/blog/2023/08/microsoft-mitigates-power-platform-custom-code-information-disclosure-vulnerability/https://www.tenable.com/security/research/tra-2023-25
Contributed by https://github.com/korniko98
Disclosure Date
Thu, Mar 30th, 2023
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Evan Grant, Tenable
