Focus on source code security, collect the latest information at home and abroad!
Compile: Code Guard
After being publicly criticized as "grossly irresponsible" by Tenable's CEO, Microsoft has fixed a vulnerability in the Power Platform Custom Connectors feature. The vulnerability could allow an unauthenticated attacker to access sensitive data across tenant applications and Azure customers.
Let's take a look at this long timeline:
March 30: Issue identified and notified to Microsoft via MSRC
March 30: Microsoft confirms receipt
April 3: Microsoft confirms bug exists
June 27: Tenable asks for an update
July 6: Microsoft notifies Tenable that the bug is fixed
July 10: Tenable notifies Microsoft that the fix is incomplete
July 11th: Tenable opens new MSRC case to track unfixed issues
July 11: Microsoft asks for delay in public disclosure
July 14th: Tenable says it will issue a security bulletin two weeks from July 17th (originally said July 24th, later changed to July 31st)
July 20: Information Microsoft Consulting will share
July 21: Tenable notifies Microsoft that it will issue a limited security bulletin that does not include technical details or PoCs
July 21: Microsoft confirms and notifies Tenable that a fix will be released on September 28
July 25th: Tenable confirms that technical details and PoC will be released after September 28th
July 31: Limited security bulletin issued
August 3: Microsoft Microsoft's previously affected hosts perform a repair plan
August 3: Microsoft updates security bulletin with full details after releasing fixes for all affected customers
The root cause of the vulnerability is improper access control measures for Azure Function hosts initiated by connectors within Power Platform. These connectors use C# code integrated into Microsoft-managed Azure Functions used as HTTP triggers.
While customer interactions with custom connectors are typically via authenticated APIs, API endpoints push requests to Azure Functions without performing authentication. This leads to an opportunity for attackers to exploit unsecured Azure Function hosts and intercept OAuth client IDs and secrets.
Tenable, the company that discovered and reported the vulnerability on March 30, noted, "It should be noted that this is not just an information disclosure issue, as it is possible to access and interact with an insecure Function However, due to the nature of the service, the impact on connectors varies from day to day and is difficult to quantify without exhaustive testing."
Amit Yoran, CEO of Tenable, mentioned, "In order to let everyone understand the severity of the impact, our team quickly disclosed the authentication secret to a bank. They expressed deep concern about the severity of the vulnerability and we immediately notified Microsoft."
Tenable also shared the proof-of-concept exploit code and steps to find the connector hostname and construct a POST request to interact with the unsecured API endpoint.
Microsoft initially began investigating reports submitted by Tenable and found that researchers were the only ones exploiting the issue. After further analysis in July, Microsoft determined that some Azure Functions in a "soft-deleted" state had not been properly mitigated. After Tenable pointed out that the fix deployed by Microsoft on June 7 was incomplete, Microsoft finally patched the vulnerability for all customers on August 2. Microsoft said on Friday that "this issue has been fully fixed for all customers, and customers do not need to take any remedial actions." Subsequently, Microsoft began notifying all affected customers through the Microsoft 365 Admin Center on August 4.
Nonetheless, Tenable believes the fix applies only to new deployments of Power Apps and Power Automation custom connectors, "Microsoft fixes for newly deployed connectors by requiring an Azure Function key to access the Function host and its HTTP triggers. This issue has been resolved. We will advise customers requesting additional details on the fixes deployed to seek an authoritative answer from Microsoft."
!
A fix released after being publicly criticized
It took Microsoft five months to fix the bug, but it would have taken more time if Tenable's CEO hadn't expressed his displeasure with Microsoft's initial response. On August 2, Yoran published an article condemning Microsoft's "extremely irresponsible" and "blatant negligence" way of doing things.
To make matters worse, Microsoft initially promised to fix the issue in September, a far cry from the expected 90-day deadline that most vendors follow when it comes to fixing the bug. The delay adds to concerns about the timeliness of Microsoft's response to vulnerabilities in its own products.
Yoran mentioned, "Did Microsoft fix the issue that caused multiple customers' networks and services to be compromised? Of course not. It took them more than 90 days to implement some of the fixes, and it only works for new applications loaded on the service. That said, the bank I mentioned earlier is still vulnerable as of today, more than 120 days after we reported the issue, as are all other organizations that started the service before the fix was released attacks. And, as far as we know, these organizations still don’t know they’re at risk, so they’re unable to make informed decisions about deploying controls and other risk mitigations.”
!
Microsoft responds
On August 4, two days after being attacked, Microsoft issued a post to fight back.
Microsoft explained that after investigating Tenable's report on July 10, it found that a "very small subset" of code and customers were at risk, and fixed the vulnerability on August 2. It also illustrates the rationale for its response in two steps.
Microsoft stated in the post, "In the process of preparing a security fix, we have gone through an extensive process involving thorough investigation, update development, and compatibility testing. Ultimately, the development of security updates is the key to the speed of application of fixes and the quality and safety of fixes." It is a delicate balance. Acting too quickly creates a higher risk of customer outage (availability) than a vulnerability. The purpose of the vulnerability's non-disclosure period is to allow enough time to roll out high-quality fixes. Not all fixes are produced And equality. Some fixes are complete and can be applied safely and quickly, while others are not."
Microsoft did not mention in the article how long it would take to build a fix, but said, "We are also beginning to monitor for active exploitation of reported security vulnerabilities and will respond quickly if found."
Tenable has yet to comment on Microsoft's response.
Here comes the question: which side are you on?
Code Guard Trial Address: https://codesafe.qianxin.com
Open source guard trial address: https://oss.qianxin.com
recommended reading
From SSRF to RCE: Microsoft doesn't plan to fix this vulnerability in Office Online Server
Teams can be abused to install malware, Microsoft may not plan to fix
Original link
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-flaw-after-being-called-irresponsible-by-tenable-ceo/
https://www.tenable.com/security/research/tra-2023-25
https://msrc.microsoft.com/blog/2023/08/microsoft-mitigates-power-platform-custom-code-information-disclosure-vulnerability/
https://www.linkedin.com/pulse/microsoftthe-truth-even-worse-than-you-think-amit-yoran/
Title image: Pixabay License
This article was compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate "Reprinted from Qi Anxin Code Guard https://codesafe.qianxin.com".
Qi Anxin code guard (codesafe)
The first domestic product line focusing on software development security.
If you feel good, just click "Looking" or "Like"~