Thursday, February 22, 2024

Microsoft Addresses Azure AD Flaw Following Criticism from Tenable’s CEO

After being criticized as “grossly irresponsible” and “blatantly negligent” by the CEO of Tenable, Microsoft addressed a vulnerability in the Power Platform Custom Connectors feature that allowed unauthenticated attackers access to cross-tenant apps and sensitive data from Azure customers.

On August 2nd, Microsoft addressed the issue for all customers after Tenable declared an earlier fix delivered by Redmond on June 7th as incomplete.

“This issue has been fully addressed for all customers and no customer remediation action is required,” Microsoft said.

All impacted customers have since received notifications from Redmond via the Microsoft 365 Admin Centre beginning on August 4th.

Tenable claims that the fix only applies to recently deployed Power Apps and Power Automation custom connectors, despite Microsoft’s claim that the information disclosure problem has been addressed for all Azure users.

“Microsoft has fixed the issue for newly deployed connectors by requiring Azure Function keys to access the Function hosts and their HTTP trigger,” Tenable said.

“We would refer customers who require additional details regarding the nature of the deployed remediations to Microsoft for authoritative answers.”

Overview of the Issue

Tenable reported to Microsoft the security issue involving Power Platform Custom Connectors utilizing Custom Code on March 30.

Microsoft announced a significant vulnerability on July 12th and linked it to Storm-0558, a Chinese hacker collective. Around 25 different organizations were impacted by the hack, which also led to the theft of private emails from US government officials.

Senator Ron Wyden requested last week in a letter to the US Department of Justice that Microsoft be held responsible for “negligent cybersecurity practices.”

According to Tenable CEO Amit Yoran, Microsoft spent “more than 90 days to implement a partial fix” after receiving a notification from Tenable.

He further alleges that the fix only applied to “new applications loaded in the service.” The bank and all other businesses “that had launched the service before the fix” were still impacted by the issue, and Yoran claims they were probably not aware of that danger.

“It should be noted that this is not exclusively an issue of information disclosure, as being able to access and interact with the unsecured Function hosts, and trigger behavior defined by custom connector code, could have a further impact,” Tenable said.

Tenable also provided proof-of-concept exploit code as well as instructions for locating susceptible connector hostnames and crafting POST requests to communicate with the unprotected API endpoints.

Attack Flow Power Platform Bug (Tenable)

As a result, an attacker could communicate with the function as specified by the custom connector code without authentication if they knew the hostname of the Azure Function linked to the custom connector.

Fix Release

On June 7, 2023, Microsoft released a preliminary patch to address this vulnerability for the vast majority of users. An investigation into Tenable’s second report on 10 July 2023 indicated that a very tiny fraction of Custom Code in a soft deleted state was still impacted.

This soft deleted state was created as a resilience mechanism to allow speedy recovery if custom connections were accidentally destroyed.

Microsoft used the Custom Code routines to guarantee and certify total mitigation for any conceivably surviving clients. It was finished on August 2, 2023. 

“To protect our customers from an exploit of an embargoed security vulnerability, we also start to monitor any reported security vulnerability of active exploitation and move swiftly if we see any active exploit”, Microsoft.

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.


Latest articles

Earth Preta Hackers Abuses Google Drive to Deploy DOPLUGS Malware

Threat actors abuse Google Drive for several malicious activities due to its widespread use,...

Swiggy Account Hacked, Hackers Placed Orders Worth Rs 97,000

In a startling incident underscoring the growing menace of cybercrime, a woman's Swiggy account...

Beware of VietCredCare Malware that Steals businesses’ Facebook Accounts

A new cybersecurity threat targeting Facebook advertisers in Vietnam, known as VietCredCare, has emerged....

Google Chrome 122 Update Addresses Critical Security Vulnerabilities

Google has recently unveiled Chrome 122, a significant milestone for the widely used web...

New Malicious PyPI Packages Use DLL Sideloading In A Supply Chain Attack

Researchers have discovered that threat actors have been using open-source platforms and codes for...

New Mingo Malware Attacking Linux Redis Servers To Mine Cryptocurrency

The malware, termed Migo by the creators, attempts to infiltrate Redis servers to mine cryptocurrency on...

Security Onion 2.4.50 Released for Defenders With New Features

Security Onion Solutions has recently rolled out the latest version of its network security...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles