Microsoft Alert for Hacker Exploitation of Azure Service Tags Vulnerability

by jdpoteet | Jun 17, 2024 | Threat Advisories

Microsoft Alert for Hacker Exploitation of Azure Service Tags Vulnerability

Summary

Microsoft warns of Azure Service Tag exploit by malicious actors to bypass firewall rules and gain unauthorized access to cloud resources, highlighting the inherent risk of relying solely on service tags for network security.

Technical Details

Azure Service Tags simplify network isolation within Azure by grouping specific Azure services IP ranges. These tags can be used to define network security rules and apply these rules consistently across multiple Azure resources. Essentially, Azure Service Tags provide a convenient way to manage access controls, such as firewall rules or network security group (NSG) configurations.

Microsoft issued a warning about the potential misuse of Azure Service Tags, which could allow attackers to forge requests from a trusted service and bypass firewall rules. This issue, highlighted by Tenable, reveals that Azure customers who depend on service tags for firewall rules could be vulnerable. At least 10 Azure services are affected: Azure Application Insights, Azure DevOps, Azure Machine Learning, Azure Logic Apps, Azure Container Registry, Azure Load Testing, Azure API Management, Azure Data Factory, Azure Action Group, Azure AI Video Indexer, and Azure Chaos Studio.

The core problem arises when an attacker in one tenant can send crafted web requests to access resources in another tenant if the latter has allowed traffic from the service tag without additional authentication. This vulnerability allows the attacker to manipulate server-side requests and impersonate legitimate Azure services. Consequently, the attacker can circumvent network controls that rely on Service Tags, which are typically used to block public access to Azure customers’ internal assets, data, and services.

Recommendations

• Analyze the network rules for each associated service in your Azure environment, identify the use of Service Tags, and filter out the affected services. Assume that assets using these Service Tags are public.
• Add authentication and authorization layers to the affected services. Follow the MSRC guidance: “Service Tags alone are not sufficient to secure traffic to a customer’s origin. Implement authentication/authorization for traffic rather than relying solely on firewall rules.”
• When configuring network rules, remember that Service Tags do not provide airtight security. Ensure strong network authentication is maintained to provide an additional layer of security. This extra layer can significantly hinder an attacker, even if they manage to leverage the vulnerability to reach the target endpoint.
• Pay particular attention to the Azure services listed as vulnerable. Approach other services not listed with skepticism and check for the dangerous combination described. Conduct regular security audits to ensure that your network rules and security measures are up to date. Monitor for any changes in service behavior or new vulnerabilities.
• Stay abreast of the latest security recommendations from Microsoft and other cybersecurity authorities. Apply patches and updates as soon as they are available to mitigate known vulnerabilities.

References

• https://thehackernews.com/2024/06/azure-service-tags-vulnerability.html

https://www.tenable.com/blog/these-services-shall-not-pass-abusing-service-tags-to-bypass-azure-firewall-rules-customer

Vulnerability in SolarWinds Serv-U Could Allow for Path Transversal

by jdpoteet | Jun 11, 2024 | Threat Advisories

Vulnerability in SolarWinds Serv-U Could Allow for Path Transversal

OVERVIEW

A vulnerability in SolarWinds Serv-U could allow for path transversal, leading to disclosure of sensitive information. SolarWinds Serv-U is a managed file transfer solution, hosted on Windows and Linux-based servers, used to store and share files across an enterprise network. Exploitation of this vulnerability could allow for the disclosure of files and directories on the host.  Depending on the permissions associated with the files, an attacker could view content within them. Files with stricter access controls and file permissions could be less impacted.

THREAT INTELLIGENCE

There are currently no reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED

• SolarWinds Serv-U versions prior to 15.4.2 HF 2

RECOMMENDATIONS

We recommend the following actions be taken:

• Apply appropriate updates provided by SolarWinds to vulnerable systems immediately after appropriate testing.
• Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
• Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.
• Use intrusion detection signatures to block traffic at network boundaries.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

REFERENCES

• https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995
• https://www.helpnetsecurity.com/2024/06/07/cve-2024-28995/
• https://nvd.nist.gov/vuln/detail/CVE-2024-28995