Microsoft’s handling of a security issue that could allow limited, unauthorized access to cross-tenant applications and sensitive data has put the company under scrutiny for how it deals with security gaps in its platform.
The issue stems from Microsoft’s Power platform, which is its line of business intelligence, app development, and app connectivity software applications. According to researchers with Tenable that found the problem, the Azure Function hosts, which are launched as part of the platform’s operation of custom connectors, do not have sufficient access control.
Tenable first reached out to Microsoft about the issue on March 30. Several months later, Microsoft on July 6 informed Tenable the issue was fixed; however, Tenable then found that the fix was incomplete. After more back and forth, Microsoft informed Tenable on July 21 that a complete fix for the issue would not be released until Sept. 28. On July 31, Tenable released a limited advisory on the issue. Then, on Thursday, Tenable updated its advisory with further details after Microsoft fixed the issue in its newly deployed connectors, through requiring Azure Function keys to access the Function hosts and their HTTP trigger.
However, Amit Yoran, chairman and CEO of Tenable, in a LinkedIn post this week, called out the lengthy disclosure timeline as an “irresponsible” move from Microsoft.
“Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers’ networks and services? Of course not. They took more than 90 days to implement a partial fix – and only for new applications loaded in the service,” said Yoran.
The issue is serious and allowed researchers to discover the authentication secrets for a bank, said Yoran. An attacker that was able to determine the hostname of an Azure Function associated with the custom connector could interact with that function sans authentication. This could allow them to possibly determine other Azure Function hostnames, and because many custom connectors appear to handle authentication flows between Microsoft’s Power Platform and third-party services, a possibility exists that attackers could intercept certain forms of authentication (like OAuth Client IDs and secrets).
“It should be noted that this is not exclusively an issue of information disclosure, as being able to access and interact with the unsecured Function hosts, and trigger behavior defined by custom connector code, could have further impact,” according to Tenable researchers in their updated advisory. “However, because of the nature of the service, the impact would vary for each individual connector, and would be difficult to quantify without exhaustive testing.”
Tenable on Thursday said that it can no longer access previously affected hosts, and referred customers who want additional details regarding the nature of the deployed remediations to Microsoft “for authoritative answers.” Microsoft, meanwhile, said the issue has now been fully addressed for all customers and no further customer action is required.
“We appreciate the collaboration with the security community to responsibly disclose product issues,” according to a Microsoft spokesperson. “We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.”
Beyond this specific issue, Microsoft has come under increased scrutiny over the past few weeks for its security practices. On the heels of a cyberattack that impacted several U.S. federal agencies, where attackers leveraged forged authentication tokens to access victims’ emails with an acquired Microsoft account consumer signing key, Sen. Ron Wyden (D-Ore) urged CISA, the FTC and DoJ to “hold Microsoft responsible for its negligence.”
The criticisms also come as CISA pushes for manufacturers to adopt Secure By Design principles for their products. The idea here is not just to implement security as a core business requirement (as opposed to a technical feature), but also to ensure that manufacturers understand their role and responsibilities in securing their products, so that this security onus doesn’t fall solely on the shoulders of customers.
“Cloud providers have long espoused the shared responsibility model,” according to Yoran on Wednesday. “That model is irretrievably broken if your cloud vendor doesn’t notify you of issues as they arise and apply fixes openly… How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors?”