iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
A bug in one of Microsoft’s services, which has since been patched, presented a security risk that could have led to passwords being stolen.
The cross-tenant information disclosure bug, which was first identified and reported by researchers at Tenable, was found affecting Microsoft’s Azure cloud services.
For those unaware, Microsoft Azure is a cloud computing platform that allows users to manage, access and develop applications and is often used for analytics, virtual computing, storage, networking and more.
Tenable first reported the bug on 30 March and flagged the bug as critical, saying that the bug arose “as a result of insufficient access control to Azure Function hosts, which are launched as part of the creation and operation of custom connectors in Microsoft’s Power Platform (Power Apps, Power Automation)”.
According to a post by Tenable, the bug meant that if a threat actor had the “hostname of the Azure Function associated with the custom connector to interact with the function”, they would be able to access and interact with said function.
As custom connectors in Azure are often used to communicate between third parties and for authentication flows between them and Microsoft’s Power Platform, threat actors could be capable of accessing and compromising forms of authentication, according to Tenable.
“As a result, it was possible to intercept OAuth client IDs and secrets, as well as other forms of authentication, when interacting with the unsecured Azure Function hosts,” Tenable said.
While Microsoft has since patched the bug, the fix took some time, and testing by Tenable had revealed that the fix was incomplete when it was first patched on 7 June, over two months from disclosure.
Responding to the incomplete fix, Microsoft said that the issue still presented a risk to “a very small subset of custom code in a soft deleted state were still impacted”.
“This soft deleted state exists to enable quick recovery in case of accidental deletion of custom connectors as a resiliency mechanism,” it said.
Tenable chief executive and chairman Amit Yoran quickly took to social media to express his disappointment at the slow reaction Microsoft had to the bug.
“Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers’ networks and services? Of course not,” said Yoran on 2 August.
“They took more than 90 days to implement a partial fix – and only for new applications loaded in the service.”
“That means that as of today, the bank I referenced above is still vulnerable, more than 120 days since we reported the issue, as are all of the other organisations that had launched the service prior to the fix.
“And, to the best of our knowledge, they still have no idea they are at risk and therefore can’t make an informed decision about compensating controls and other risk mitigating actions.”
Yoran said Microsoft plans to fully fix the issue by the end of September, which is four months since it was notified, which he called “grossly irresponsible, if not blatantly negligent”.
Be the first to hear the latest developments in the cyber industry.
