Tenable, known for its exposure management solutions, has revealed a high severity vulnerability discovered by its Tenable Cloud Research Team that affects over 10 Azure services. The impacted services include Azure Application Insights, Azure DevOps, Azure Machine Learning, Azure API Management, and Azure Logic Apps. Notably, Microsoft has decided not to issue a patch for this vulnerability, opting instead to provide centralized documentation to guide customers on service tag usage patterns.

The vulnerability allows malicious actors to bypass firewall rules based on Azure Service Tags by forging requests from trusted services. This means that a threat actor could exploit Service Tags permitted through a user’s firewall if there are no additional validation controls. Such an exploit could grant an attacker access to an organization’s Azure services and other internal and private Azure resources.

“This vulnerability enables an attacker to control server-side forge requests, thus impersonating trusted Azure services,” explained Liv Matan, senior research engineer at Tenable. “We highly recommend customers take immediate action. By ensuring that strong network authentication is maintained, users can defend themselves with an additional and crucial layer of security.”

Azure customers relying on Azure Service Tags for firewall security are at significant risk and should act promptly to mitigate the issue. Implementing robust layers of authentication and authorization is essential to protect against potential exploits stemming from this vulnerability.