Microsoft today revealed it fixed a vulnerability in its Azure Container Instances services that could have been exploited by a malicious user “to access other customers’ information.”
Azure Container Instances (ACI) is a serverless container environment. Microsoft says it offers the flexibility of containers and the security of VMs running atop a hypervisor.
No technical details of the flaw have been revealed, save that users should “revoke any privileged credentials that were deployed to the platform before August 31, 2021,” and that rotating privileged credentials would be “an effective precautionary measure” – perhaps suggesting an authentication issue. Microsoft has also reminded users that credentials can be found in environment variables, secret volumes, and even in Azure file shares – so there may be a bit of tidying up to do.
We also know that only a subset of users were exposed to the flaw, because Microsoft says that if you didn’t see a Service Health Notification about the issue in the Azure Portal you have nothing to worry about.
Microsoft has stated that its investigation “surfaced no unauthorized access to customer data.”
The issue is Microsoft’s second Azure cross-user data leak SNAFU in the past fortnight: in late August the IT giant disclosed a flaw in its Cosmos DB allowed unauthorised read/write access to other users’ databases.
Microsoft’s announcement of the ACI hole focuses on Palo Alto Networks’ discovery, and responsible disclosure, of the mess. It is silent on whether the bug is in any way related to the Cosmos DB problem, whether Microsoft is reviewing how it handles credentials in Azure services, and how the Windows titan allowed two dangerous flaws to go into production in its cloud. Nor do we know why Palo Alto was testing ACI and if its work was in any way related to the Cosmos DB flaw.
Microsoft’s webpage for Azure Container Instances asks, “Why trust Container Instances?” and answers by stating that Microsoft “invests more than $1bn annually on cybersecurity research and development” and employs “more than 3,500 security experts who are dedicated to data security and privacy.”
That spend, and those people, have been found to have tripped up twice in the past two weeks alone. Fortuitously, these flaws have avoided consequences on the scale of those caused by the disastrous flaws in Microsoft Exchange Server, the PrintNightmare nightmare, and myriad other vulnerabilities found in its products over the years. ®