Saturday, May 18, 2024

Microsoft Addresses Azure AD Flaw Following Criticism from Tenable’s CEO

After being criticized as “grossly irresponsible” and “blatantly negligent” by the CEO of Tenable, Microsoft addressed a vulnerability in the Power Platform Custom Connectors feature that allowed unauthenticated attackers access to cross-tenant apps and sensitive data from Azure customers.

On August 2nd, Microsoft addressed the issue for all customers after Tenable declared an earlier fix delivered by Redmond on June 7th as incomplete.

“This issue has been fully addressed for all customers and no customer remediation action is required,” Microsoft said.

All impacted customers have since received notifications from Redmond via the Microsoft 365 Admin Centre beginning on August 4th.

Tenable claims that the fix only applies to recently deployed Power Apps and Power Automation custom connectors, despite Microsoft’s claim that the information disclosure problem has been addressed for all Azure users.

“Microsoft has fixed the issue for newly deployed connectors by requiring Azure Function keys to access the Function hosts and their HTTP trigger,” Tenable said.

“We would refer customers who require additional details regarding the nature of the deployed remediations to Microsoft for authoritative answers.”

Overview of the Issue

Tenable reported to Microsoft the security issue involving Power Platform Custom Connectors utilizing Custom Code on March 30.

Microsoft announced a significant vulnerability on July 12th and linked it to Storm-0558, a Chinese hacker collective. Around 25 different organizations were impacted by the hack, which also led to the theft of private emails from US government officials.

Senator Ron Wyden requested last week in a letter to the US Department of Justice that Microsoft be held responsible for “negligent cybersecurity practices.”

According to Tenable CEO Amit Yoran, Microsoft spent “more than 90 days to implement a partial fix” after receiving a notification from Tenable.

He further alleges that the fix only applied to “new applications loaded in the service.” The bank and all other businesses “that had launched the service before the fix” were still impacted by the issue, and Yoran claims they were probably not aware of that danger.

“It should be noted that this is not exclusively an issue of information disclosure, as being able to access and interact with the unsecured Function hosts, and trigger behavior defined by custom connector code, could have a further impact,” Tenable said.

Tenable also provided proof-of-concept exploit code as well as instructions for locating susceptible connector hostnames and crafting POST requests to communicate with the unprotected API endpoints.

Attack Flow Power Platform Bug (Tenable)

As a result, an attacker could communicate with the function as specified by the custom connector code without authentication if they knew the hostname of the Azure Function linked to the custom connector.

Fix Release

On June 7, 2023, Microsoft released a preliminary patch to address this vulnerability for the vast majority of users. An investigation into Tenable’s second report on 10 July 2023 indicated that a very tiny fraction of Custom Code in a soft deleted state was still impacted.

This soft deleted state was created as a resilience mechanism to allow speedy recovery if custom connections were accidentally destroyed.

Microsoft used the Custom Code routines to guarantee and certify total mitigation for any conceivably surviving clients. It was finished on August 2, 2023. 

“To protect our customers from an exploit of an embargoed security vulnerability, we also start to monitor any reported security vulnerability of active exploitation and move swiftly if we see any active exploit”, Microsoft.

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles