A report from security researchers at Tenable has led Microsoft to patch a cross-tenant information disclosure bug in its Azure cloud services.
According to Tenable, the issue led to “limited, unauthorised access to cross-tenant applications and sensitive data (including, but not limited,to authentication secrets)”.
According to Tenable, Azure Function hosts, launched when a customer operates custom connections in Microsoft’s Power Platform, had insufficient access control.
If an attacker determined the hostname of an Azure Function associated with a custom connector, they could use the bug to to interact with that function without authentication.
From there, “an attacker could determine the hostnames for Azure Functions associated with other customers’ custom connectors, as they differed only by an integer.
That enabled an enumeration attack – stepping through numbers in a POST command to expose other users.
“As a result, it was possible to intercept OAuth client IDs and secrets, as well as other forms of authentication, when interacting with the unsecured Azure Function hosts,” Tenable said.
In its advisory, Microsoft said its investigation showed that only Tenable’s researcher had achieved “anomalous access” via the bug, which it has since patched.
However, rolling the patch out took some time.
Tenable said it first reported the bug on March 30, and Microsoft said it patched the bug for a “majority” of customers on June 7.
However, further testing by Tenable showed the fix was incomplete. Microsoft’s advisory said it continued to affect “a very small subset of custom code in a soft deleted state were still impacted.
“This soft deleted state exists to enable quick recovery in case of accidental deletion of custom connectors as a resiliency mechanism.”
Patching was completed by August 2, Microsoft said.
Tenable CEO angry
The process has brought an angry LinkedIn post from Tenable’s chairman and CEO, Amit Yoran, who complained about Microsoft’s lack of transparency and slow response to the issue.
“They took more than 90 days to implement a partial fix – and only for new applications loaded in the service,” Yoran wrote in the post.
At the time he wrote the post, Yoran expected the full fix delivered in August to take until September.
“Cloud providers have long espoused the shared responsibility model,” Yoran said.
“That model is irretrievably broken if your cloud vendor doesn’t notify you of issues as they arise and apply fixes openly.”
