After being criticized as “grossly irresponsible” and “blatantly negligent” by the CEO of Tenable, Microsoft addressed a vulnerability in the Power Platform Custom Connectors feature that allowed unauthenticated attackers access to cross-tenant apps and sensitive data from Azure customers.
On August 2nd, Microsoft addressed the issue for all customers after Tenable declared an earlier fix delivered by Redmond on June 7th as incomplete.
“This issue has been fully addressed for all customers and no customer remediation action is required,” Microsoft said.
All impacted customers have since received notifications from Redmond via the Microsoft 365 Admin Centre beginning on August 4th.
Tenable claims that the fix only applies to recently deployed Power Apps and Power Automation custom connectors, despite Microsoft’s claim that the information disclosure problem has been addressed for all Azure users.
“Microsoft has fixed the issue for newly deployed connectors by requiring Azure Function keys to access the Function hosts and their HTTP trigger,” Tenable said.
“We would refer customers who require additional details regarding the nature of the deployed remediations to Microsoft for authoritative answers.”
Overview of the Issue
Tenable reported to Microsoft the security issue involving Power Platform Custom Connectors utilizing Custom Code on March 30.
Microsoft announced a significant vulnerability on July 12th and linked it to Storm-0558, a Chinese hacker collective. Around 25 different organizations were impacted by the hack, which also led to the theft of private emails from US government officials.
Senator Ron Wyden requested last week in a letter to the US Department of Justice that Microsoft be held responsible for “negligent cybersecurity practices.”
According to Tenable CEO Amit Yoran, Microsoft spent “more than 90 days to implement a partial fix” after receiving a notification from Tenable.
He further alleges that the fix only applied to “new applications loaded in the service.” The bank and all other businesses “that had launched the service before the fix” were still impacted by the issue, and Yoran claims they were probably not aware of that danger.
“It should be noted that this is not exclusively an issue of information disclosure, as being able to access and interact with the unsecured Function hosts, and trigger behavior defined by custom connector code, could have a further impact,” Tenable said.
Tenable also provided proof-of-concept exploit code as well as instructions for locating susceptible connector hostnames and crafting POST requests to communicate with the unprotected API endpoints.
As a result, an attacker could communicate with the function as specified by the custom connector code without authentication if they knew the hostname of the Azure Function linked to the custom connector.
On June 7, 2023, Microsoft released a preliminary patch to address this vulnerability for the vast majority of users. An investigation into Tenable’s second report on 10 July 2023 indicated that a very tiny fraction of Custom Code in a soft deleted state was still impacted.
This soft deleted state was created as a resilience mechanism to allow speedy recovery if custom connections were accidentally destroyed.
Microsoft used the Custom Code routines to guarantee and certify total mitigation for any conceivably surviving clients. It was finished on August 2, 2023.
“To protect our customers from an exploit of an embargoed security vulnerability, we also start to monitor any reported security vulnerability of active exploitation and move swiftly if we see any active exploit”, Microsoft.