Microsoft paid Tenable a bug bounty for an Azure flaw it says doesn't need a fix, just better documentation A vulnerability — or just Azure working as intended, depending on who you ask — in Microsoft's cloud potentially allows miscreants to wave away firewall rules and access other people's private web resources. The issue, discovered by the research team at vulnerability assessment outfit Tenable, stems from Service Tags, which …
Yorick Hunt: "That's not a bug, it's a feature."
Abusing Service Tags to Bypass Azure Firewall Rules
“this functionality may open the door for a malicious actor to achieve an impact similar to that of a server-side request forgery (SSRF) vulnerability.”
Am I understanding correctly that this boils down to "If you whitelist azure services for unauthenticated access to your servers, anyone using those azure services gets access"?
If so that does seem like expected behaviour... I would be surprised if such requests came from tenant-specific source IPs.
It's more nuanced than that as I understand it.
If you whitelist specific Azure services to allow them to access to your servers as you instruct, anyone using those Azure services also gets access.
Tenable argues Azure should prevent tenants from sending requests to other tenants via these services; Microsoft says you should put in your own levels of authentication and filtering to prevent cross-tenant access.
I believe in having competent IT staff who are aware of this, sure. I also personally believe in not handing footguns to IT staff.
C.
Believing you need multiple layers of security is an admission that you don't trust the first N-1 layers.
The fourth paragraph from the end says "Microsoft recommends adding authentication and authorization checks and not only relying on firewall rules".
That's the sensible thing to do. It's called zero trust.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
