Best Top Reviews Online

Microsoft Patches Cross-Tenant Azure Data Access Vulnerability

  • Topics:Tech
  • PublishedDecember 23, 2022
  • ByFrank

Microsoft has silently patched an important-severity security flaw in Azure Cognitive Search (ACS) after an external researcher reported that a flawed feature enabled cross-tenant network bypass attacks.

The vulnerability, discovered by researchers at Mnemonic, effectively removed the network and identity perimeter surrounding internet-isolated Azure Cognitive Search instances and permitted cross-tenant access to the data plane of ACS instances from any location, including instances with no explicit network exposure.

According to Mnemonic researcher Emilien Socchi, Microsoft quietly patched the vulnerability at the end of August 2022, roughly six months after it was first reported.

The vulnerability, dubbed ACSESSED, affected all instances of Azure Cognitive Search that enabled the “Allow access from portal” feature.

“By enabling this feature, customers were effectively granted cross-tenant access to the data plane of their ACS instances from any location, regardless of the latter’s actual network configurations. This included instances exposed only on private endpoints as well as instances with no explicit network exposure, such as the one I deployed for investigation (i.e. instances without any private, service, or public endpoint),” the researcher cautioned.

“Customers were able to enable a vulnerable feature with the click of a button, which removed the entire network perimeter configured around their ACS instances without providing any real identity perimeter (i.e., anyone could generate a valid access token for ARM),” Socchi explained.

Microsoft, according to the Mnemonic researcher, paid a $10,000 bounty and raised the risk level from moderate to significant due to the cross-tenant risk and ease of exploitation.

Microsoft stated at one point during the disclosure process that the patch was delayed because the fix required “a substantial design level change.”

*a previous version of the article incorrectly referenced Azure Container Services, which shares the same acronym as Azure Cognitive Search, ACS.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus

Get more info

Deals

Reviews

Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer

BestTopReviewsOnline.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. As an Amazon Associate I earn from qualifying purchases.

 

Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 BestTopReviewsOnline.com Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of BestTopReviewsOnline.com.