Microsoft fixes flaw after Tenable CEO calls it ‘grossly irresponsible’


By MYBRANDBOOK


Microsoft fixes flaw after Tenable CEO calls it ‘grossly irresponsible’

After being called "grossly irresponsible" by Tenable’s CEO, Microsoft has fixed a security flaw in the Power Platform Custom Connectors feature that let unauthenticated attackers access cross-tenant applications and Azure customers' sensitive data.  

 

The root cause of the issue stemmed from inadequate access control measures for Azure Function hosts launched by connectors within the Power Platform. These connectors use custom C# code integrated into a Microsoft-managed Azure Function featuring an HTTP trigger. 

 

The API endpoints facilitated requests to the Azure Function without enforcing authentication, although customer interaction with custom connectors usually happens via authenticated APIs. This created an opportunity for attackers to exploit unsecured Azure Function hosts and intercept OAuth client IDs and secrets. 

 

"It should be noted that this is not exclusively an issue of information disclosure, as being able to access and interact with the unsecured Function hosts, and trigger behavior defined by custom connector code, could have further impact," says Tenable.  

 

 Tenable discovered the flaw and reported it on March 30th. 

 

"However, because of the nature of the service, the impact would vary for each individual connector, and would be difficult to quantify without exhaustive testing,” it further added. 

 

"To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank. They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft," Tenable CEO Amit Yoran explained. 

 

Tenable also shared proof of concept exploit code and information on the steps required to find vulnerable connector hostnames and how to craft the POST requests to interact with the unsecured API endpoints. 

 

Microsoft resolved the issue for all customers on August 2nd after an initial fix deployed by Redmond on June 7th was tagged by Tenable as incomplete. 

 

"This issue has been fully addressed for all customers and no customer remediation action is required," Microsoft said. 

 E-Magazine 
 VIDEOS  Placeholder image

Copyright www.mybrandbook.co.in @1999-2024 - All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of Kalinga Digital Media Pvt. Ltd. is prohibited.
Other Initiatives : www.varindia.com | www.spoindia.org