Major service tag security problems reported in Microsoft Azure

Paul Robichaux, senior director of product management at cloud security vendor Keepit, agreed that Microsoft’s decision not to address the vulnerability was reasonable. “I think Microsoft called this one correctly. This isn’t nothing, but it’s not a big deal either. It is a theoretical vulnerability if you’re using Azure service tags as a single point of control.”

“But if someone walks in your office wearing a polo shirt with your company logo, you don’t automatically give them free run of the place,” Robichaux said. “Trusting service tags as the only control mechanism is the same thing. You could do it, but you wouldn’t. Instead, you’d have other authentication methods used in parallel.”

Exploiting the vulnerability is straightforward

The Tenable report said the potential method for exploiting the vulnerability is straightforward. It noted that multiple Azure services allow customers to craft web requests, some even allowing users to add headers and change HTTP methods.