12 September 2021
On 9 September 2021 Ionut Arghire reported on Security Week that “Microsoft has patched an Azure Container Instances (ACI) vulnerability that could have allowed users to access the information of other Azure customers” (Arghire 2021). The vulnerability dubbed Azurescape was identified by the Palo Alto Networks Unit 42 Threat Intelligence team in the Azure Container-as-a-Service platform. For details about the attack refer to the Palo Alto Networks post (Zelivanky and Avrahami 2021).
The good news is that the vulnerability was not exploited so far. Microsoft stated on 8 September 2021 that their “investigation surfaced no unauthorized access to customer data” (MSRC Team 2021). Nevertheless, this is a really serious issue.
Firstly, it is the second break of tenant isolation that became public within a few weeks.
On 26 August 2021, the WIZ Research Team published a security flaw named ChaosDB in an Azure Cosmos DB feature that also allowed cross tenant access. The team states that a “series of misconfigurations in the notebook feature opened up a new attack vector we were able to exploit. In short, the notebook container allowed for a privilege escalation into other customer notebooks“ (Ohfeld and Tzadik 2021). For details on immediate actions and security best practices see the MSRC post (MSRC Team 2021).
Secondly, this shows that tenant isolation can be [easily] jeopardized.
To be clear, shared primary keys for access to cloud services like Cosmos DB are bad security practice. But I would have expected that more sophisticated means than stealing a primary access key are required to break tenant isolation (Ohfeld and Tzadik 2021).
Azurescape and ChaosDB show that we must re-evaluate the risk of using shared cloud services and prepare for the breach.
Arghire, Ionut. 2021. “Microsoft Warns of Information Leak Flaw in Azure Container Instances | SecurityWeek.Com.” Cybersecurity News. SecurityWeek. September 9, 2021. https://www.securityweek.com/microsoft-warns-information-leak-flaw-azure-container-instances.
MSRC Team. 2021. “Update on the Vulnerability in the Azure Cosmos DB Jupyter Notebook Feature.” Microsoft Security Response Center. August 27, 2021. https://msrc-blog.microsoft.com/2021/08/27/update-on-vulnerability-in-the-azure-cosmos-db-jupyter-notebook-feature/.
———. 2021. “Coordinated Disclosure of Vulnerability in Azure Container Instances Service.” Microsoft Security Response Center. September 8, 2021. https://msrc-blog.microsoft.com/2021/09/08/coordinated-disclosure-of-vulnerability-in-azure-container-instances-service/.
Ohfeld, Nir, and Sagi Tzadik. 2021. “ChaosDB: How We Hacked Thousands of Azure Customers’ Databases.” The WIZ Blog. August 26, 2021. https://www.wiz.io/blog/chaosdb-how-we-hacked-thousands-of-azure-customers-databases.
Zelivanky, Ariel, and Yuval Avrahami. 2021. “What You Need to Know About Azurescape.” Palo Alto Networks Blog (blog). September 9, 2021. https://www.paloaltonetworks.com/blog/2021/09/azurescape/.