Tenable criticizes Microsoft for Azure vulnerabilities

Tenable criticizes Microsoft for Azure vulnerabilities

Tenable Research has criticized Microsoft for its lack of transparency when it comes to cloud vulnerability disclosures.

On March 10, Tenable informed Microsoft of two privilege escalation vulnerabilities that affected the “underlying infrastructure” of Azure Synapse Analytics. Exploiting the flaws could potentially compromise the data of other Microsoft customers, Tenable warned. While Microsoft released patches beginning April 30, the disclosure process raised significant concerns, which Tenable addressed in several blog posts on Monday.

Tenable accuses Microsoft of a communication disconnect and “downplaying” the severity of the two Azure vulnerabilities. More importantly, however, the security vendor said it speaks to a broader issue within the CVE system, which doesn’t include flaws in the cloud.

“These flaws and our researchers’ interactions with Microsoft demonstrate the difficulties of addressing security-related issues in cloud environments,” said the Blog read post. “Customers are totally indebted to cloud providers to fix reported issues.”

While Tenable said both vendors initially seemed to agree on the critical severity of the Azure vulnerabilities, Microsoft changed the classification from a security issue to a “best practice recommendation” in the final days of the disclosure process, according to the Blog. In addition, Tenable said that Microsoft refused a reward or recognition of the finding.

Tenable CEO Amit Yoran personally addressed transparency concerns at a statement on LinkedIn on Monday. He referred to Microsoft as a fox guarding the henhouse and said that, to date, Microsoft customers have not been notified of the two bugs that Tenable classified as critical.

“After assessing the situation, Microsoft decided to quietly patch one of the issues, minimizing the risk,” Yoran wrote. “It was only after they told us we were going to go public that their story changed…89 days after the initial vulnerability notification…that they privately acknowledged the severity of the security issue.”

A comprehensive disclosure timeline can be critical to company security. Yoran referred to the issue of silent patching as a “repeated pattern of behavior,” particularly with Microsoft. He noted that other vendors, including Orca Security, Wiz and Fortinet, have had similar experiences with the tech giant.

A prime example of downplaying security incidents occurred in May, when a Microsoft zero-day vulnerability, dubbed Follina by independent security researcher Kevin Beaumont, was exploited in the wild. Although Microsoft was notified of the flaw in April, it determined that it was not a security-related issue. Alternative solutions were not issued until after active exploitation.

“Without timely and detailed disclosures, customers have no idea if they were or are vulnerable to an attack…or if they were victims of an attack before a vulnerability was patched,” Yoran wrote.

More inconsistencies in communication

James Sebree, principal research engineer at Tenable, detailed the interaction in a separate article. blog post on Monday, citing a “major communications disconnect” between the Microsoft Security Response Center and the Synapse Analytics development team.

Sebree said his requests for status updates via email and investigator portal went unanswered. It wasn’t until she reached out via Twitter that she received any response, according to the blog.

“It took too much effort to get any kind of meaningful response from our case agent,” Sebree wrote in the blog post.

He confirmed that the patch was done quietly without notification to Tenable.

“Unfortunately, miscommunications and downplaying of the severity of issues in its products and cloud offerings are far from unusual behavior for MSRC of late,” Sebree wrote.

Bob Huber, Tenable’s chief security officer and head of research, told SearchSecurity that Tenable has had no prior experiences like this with Microsoft regarding cloud vulnerabilities. While he said there is a need for a cloud flaw identification convention or taxonomy to help companies categorize and prioritize risks, he is much more concerned with transparency and disclosure.

“Since issues primarily require no user interaction, as they are usually fixed by the vendor, a CVE or CWE may not be the exact answer,” Huber said in an email to SearchSecurity.

Microsoft did not respond to requests for comment at the time of publication.

Leave a Comment