Paul Robichaux, senior director of product management at cloud security vendor Keepit, agreed that Microsoft’s decision not to address the vulnerability was logical. “I think Microsoft called this right. This is nothing, but it’s not a big deal either. There is a perceived risk if you use Azure service tags as a single point of control.”
“But if someone walks into your office wearing a polo shirt with your company logo on it, you don’t just give them space for free,” said Robichaux. “Trusting service tags as the only control is the same thing. You could have done it, but you didn’t. Instead, you can find other authentication methods that are used in parallel.”
Exploiting the vulnerability is straightforward
Tenable’s report said the potential for exploiting the vulnerability is straightforward. It noted that many Azure services allow customers to make web requests, some even allowing users to add headers and change HTTP methods.
Source link