Microsoft has warned its Azure customers that its researchers found a vulnerability in the Azure Container Instances (ACI) that could potentially allow a user to access other customers’ information.
Microsoft reported in a blog post that the flaw had been fixed by its Palo Alto Networks team and had found no instances of accessing of unauthorized data by outside entities.
It said it had notified some customers they should change their login credentials as a precaution.
The blog post was in reply to a questionnaire sent by Reuters to the company regarding the breach. Microsoft did not answer any of the questions, including whether it was confident no data had been accessed.
Microsoft sends notifications to regenerate the primary read-write key
The company said the vulnerability only affects a subset of customers who had the Jupyter Notebook feature enabled. “Notifications have been sent to all customers that could be potentially affected due to researcher activity, advising they regenerate their primary read-write key. Other keys including the secondary read-write key, primary read-only key, and secondary read-only key were not vulnerable,” it added.
Cloud attacks by well-funded adversaries including the government seems a valid concern.
In the blogpost, the company writes, “There is no indication any customer data was accessed due to this vulnerability. Out of an abundance of caution, notifications were sent to customers potentially affected by the researcher activities, advising they revoke any privileged credential that were deployed to the platform before August 31, 2021.”
The company has said that the clients need not worry if they have not been notified by the company. It has also given a checklist of precautions to take to ensure that such events do not occur.
Palo Alto researcher Ariel Zelivansky told Reuters earlier that his team had been able to break out of Azure’s widely used system for so-called containers that store programs for users. Palo Alto reported the issue to Microsoft in July. Zelivansky said it had taken his team several months to fix the vulnerability.
He said the Azure containers had not been updated to patch a known vulnerability.
“This is the first attack on a cloud provider to use container escape to control other accounts,” said longtime container security expert Ian Coldwater, who reviewed Palo Alto’s work at Reuters’ request.
This report is the second major flaw revealed in Microsoft’s core Azure system in as many weeks. In late August, security experts had found a database flaw.
Coldwater said the problem reflected a failure to apply patches in a timely fashion, something Microsoft has often blamed its customers for.
“Keeping code updated is really important,” Coldwater said. “A lot of the things that made this attack possible would no longer be possible with modern software.”
Microsoft seems reluctant to take full responsibility for the vulnerability.
Coldwater said the research underscored the shared responsibility between cloud providers and customers for security.
Zelivansky also said that cloud architectures are generally safe, and added that cloud providers need to make the patch fix themselves rather than expecting the customers to apply the updates.
But he noted that cloud attacks by well-funded adversaries, including national governments, are “a valid concern.”
