Microsoft has fixed Azure vulnerability faster (in August 2023) after Tenable criticism

[German]Microsoft surprisingly fixed a vulnerability in the Azure environment as reported of Aufugst 4, 2023, with a patch originally scheduled for end of September 2023. Microsoft has been aware of the vulnerability since March 2023. The harsh criticism of the security culture at Microsoft by Tenable CEO Amit Yoran and the public response probably caused Microsoft to move. Addendum: But there are side effects from this patch.


Vulnerability known since March 2023

On March 30, 2023, Microsoft was notified of a vulnerability by security vendor Tenable about a security issue on Microsoft Azure related to custom Power Platform connectors. The feature allows customers to write code for custom connectors.

According to Microsoft, the vulnerability discovered by Tenable could lead to unauthorized access to Custom Code functions used for custom Power Platform connectors. As a result, the vulnerability would allow unintended disclosure of information if sensitive information (keys, passwords, etc.) or other sensitive information is embedded in the custom code function.

Microsoft has investigated the issue and determined that only the security researcher who reported the incident (and no one else)had abnormal access. All affected customers were notified of this anomalous access by the researcher via the Microsoft 365 Admin Center (MC665159), Microsoft writes.

Slow patching by Microsoft

On June 7, 2023, Microsoft released an initial fix to address the vulnerability. When Tenable looked at the fix, they found that what Microsoft claimed was a very small subset of custom code in the "soft deleted" state was still affected.

This "soft deleted" status, according to Microsoft, is for quick recovery in case of accidental deletion of custom connectors and is a fallback mechanism.

So, as of July 10, 2023, another notification was made by Tenable to Microsoft. Since it takes time to create a patch, Microsoft had set the end of September 2023 as the target for the final fix for the vulnerability and communicated this to Tenable. This leads to the critic described below, where Tenable's CEO accused Microsoft of acting irresponsibly.


Then, on August 2, 2023, Microsoft was ready with the fix for the vulnerability. According to this Microsoft post from August 4, 2023, the patch was then rolled out.

Addendum: I received a comment from German blog reader Tom 801, saying, that legitimate users from other tenants will simply no longer be able to access shared resources after the patch has been applied.

Harsh public criticism from Tenable

The fact that Microsoft is already fixing the vulnerability at the beginning of August 2023, instead of in September as originally planned, is related to the public criticism from Tenable. Microsoft's contribution of August 4, 2023 reads as if nothing serious had happened and they could go on with their daily business – a patch will come, eventually. And nobody, except for the security researcher from Tenable, has accessed this vulnerability. And only very few customers were affected at all.

Tenable's security researchers stated that attackers could use the vulnerability to penetrate the networks and (Azure) services of various customers. They say that the Tenable team very quickly discovered a bank's authentication secrets using the vulnerability. The bank was informed, which then immediately notified Microsoft, but nothing really happened to finally fix the problem in a timely manner.

In light of Microsoft's reactions and the incident that attackers from the Chinese hacker group Storm-0558 were able to break into mail accounts of Microsoft accounts (had I mentioned that in the post Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1), Tenable went public. Amit Yoran, Chairman and Chief Executive Officer (CEO) at Tenable, then published an article Microsoft…The Truth Is Even Worse Than You Think on LinkedIn on August 2, 2023, criticizing Microsoft's security culture and handling of vulnerabilities.

I had reported in the blog post Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2 on it. The LinkedIn post then made waves and led to a worldwide echo in IT media. The waves were so high that the fix was ready at Microsoft just on August 2, 2023. According to the Microsoft post from August 4, 2023, the fix was then also rolled out immediately.

Similar articles:
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services

Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1
Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2

Cookies helps to fund this blog: Cookie settings

This entry was posted in Cloud, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *