Microsoft fixes flaw after Tenable CEO calls it ‘grossly irresponsible’
By MYBRANDBOOK
After being called "grossly irresponsible" by Tenable’s CEO, Microsoft has fixed a security flaw in the Power Platform Custom Connectors feature that let unauthenticated attackers access cross-tenant applications and Azure customers' sensitive data.
The root cause of the issue stemmed from inadequate access control measures for Azure Function hosts launched by connectors within the Power Platform. These connectors use custom C# code integrated into a Microsoft-managed Azure Function featuring an HTTP trigger.
The API endpoints facilitated requests to the Azure Function without enforcing authentication, although customer interaction with custom connectors usually happens via authenticated APIs. This created an opportunity for attackers to exploit unsecured Azure Function hosts and intercept OAuth client IDs and secrets.
"It should be noted that this is not exclusively an issue of information disclosure, as being able to access and interact with the unsecured Function hosts, and trigger behavior defined by custom connector code, could have further impact," says Tenable.
Tenable discovered the flaw and reported it on March 30th.
"However, because of the nature of the service, the impact would vary for each individual connector, and would be difficult to quantify without exhaustive testing,” it further added.
"To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank. They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft," Tenable CEO Amit Yoran explained.
Tenable also shared proof of concept exploit code and information on the steps required to find vulnerable connector hostnames and how to craft the POST requests to interact with the unsecured API endpoints.
Microsoft resolved the issue for all customers on August 2nd after an initial fix deployed by Redmond on June 7th was tagged by Tenable as incomplete.
"This issue has been fully addressed for all customers and no customer remediation action is required," Microsoft said.
Microsoft to build a new data centre to support Thailand's tec
Microsoft has revealed intentions to construct a regional data centre as w...
SAP launches cloud services to help Indian scaleups innovate m
SAP at SAP unveils now "GROW with SAP for Scaleups," a new cloud service d...
Denodo and Sonata form alliance to unlock data-to-value creati
Denodo and Sonata Information Technology India Limited (SITL) have annou...
Google Play Store will now let users download two apps simulta
Google Play Store now lets users download two apps simultaneously. While a...
TALLY SOLUTIONS PVT. LTD.
SAFE SECURITY SERVICES PVT. LTD.
OPTIEMUS INFRACOM
GLOBUS INFOCOM LTD.
Technology Icons Of India 2023: Dr. Sanjay Bahl
Sanjay Bahl is currently with the Indian Computer Emergency Response T...
Technology Icons Of India 2023: C P Gurnani
CP Gurnani (popularly known as ‘CP’ within his peer group), is the...
Technology Icons Of India 2023: Ajit Balakrishnan
The Company markets specific channels, community features, local langu...
GSTN aims to integrate indirect tax ecosystem on a shared IT infrastructure
Goods and Services Tax Network (GSTN) has built Indirect Taxation plat...
TCIL continues to strengthen India with its technology expertise
TCIL undertakes consultancy & turnkey projects in the field of Telecom...
INDIANOIL helps reach precious petroleum fuels to every nook and corner of the country
IndianOil, a diversified, integrated energy major with presence in alm...
SAVEX TECHNOLOGIES PVT. LTD.
Savex Technologies is the 3rd largest Information & Communication Tec...
ADITYA INFOTECH LTD.
Aditya Infotech Ltd. (AIL) – the technology arm of Aditya Group, is ...
FORTUNE MARKETING PVT. LTD.
Delhi based Fortune Marketing, An ISO 9001:2008 company, distributes ...