Microsoft has silently patched an important-severity security flaw in Azure Cognitive Search (ACS) after an external researcher reported that a flawed feature enabled cross-tenant network bypass attacks.
The vulnerability, discovered by researchers at Mnemonic, effectively removed the network and identity perimeter surrounding internet-isolated Azure Cognitive Search instances and permitted cross-tenant access to the data plane of ACS instances from any location, including instances with no explicit network exposure.
According to Mnemonic researcher Emilien Socchi, Microsoft quietly patched the vulnerability at the end of August 2022, roughly six months after it was first reported.
The vulnerability, dubbed ACSESSED, affected all instances of Azure Cognitive Search that enabled the “Allow access from portal” feature.
“By enabling this feature, customers were effectively granted cross-tenant access to the data plane of their ACS instances from any location, regardless of the latter’s actual network configurations. This included instances exposed only on private endpoints as well as instances with no explicit network exposure, such as the one I deployed for investigation (i.e. instances without any private, service, or public endpoint),” the researcher cautioned.
“Customers were able to enable a vulnerable feature with the click of a button, which removed the entire network perimeter configured around their ACS instances without providing any real identity perimeter (i.e., anyone could generate a valid access token for ARM),” Socchi explained.
Microsoft, according to the Mnemonic researcher, paid a $10,000 bounty and raised the risk level from moderate to significant due to the cross-tenant risk and ease of exploitation.
Microsoft stated at one point during the disclosure process that the patch was delayed because the fix required “a substantial design level change.”
*a previous version of the article incorrectly referenced Azure Container Services, which shares the same acronym as Azure Cognitive Search, ACS.