This article is more than 1 year old
White-listing Azure cloud connections to grease your Office 365 wheels? About that...
Dev fears sub-domain abuse – Plus, unofficial patches for trio of Windows zero-days
Microsoft has been accused of ignoring an IT security risk that could be exploited to create legit-looking malware-laden webpages that sport seemingly trusted Azure and Office 365 domain names. Alternatively, the domains potentially could be used to stealthily leak stolen data from networks.
It's not a world-shattering threat by a long shot, though if you're a sysadmin – and we know a good bunch of you are – it's quite possibly something to bear in mind when configuring your network security, proxy boxes, and gateways.
Software developer Patrick Dwyer reckons anyone with an Azure subscription can, or at least could at time of writing, register a *.azureedge.net or *.blob.core.windows.net address, such as the convincing tokyo-1-mail-server.azureedge.net. These can be pointed at arbitrary content. For example, Dwyer created patros-issue-233.azureedge.net/index.html and patrosissue233.blob.core.windows.net/index/index.html to prove his point...
And here's where it gets a bit unfortunate: Microsoft encourages organizations to white-list and perhaps even prioritize Office 365 connections by identifying and green-lighting traffic to and from these cloud-based endpoints, and these endpoints include gems like mlccdnprod.azureedge.net and *.blob.core.windows.net. A full list for worldwide customers is here, for example.
Thus it is possible for someone to request and obtain their own custom blahblahblah.blob.core.windows.net domain, host bad things on it, such as malware and spear-phishing pages, and watch a corporate firewall allow a victim's PC connect to it, via an email or other link, because *.blob.core.windows.net has been white-listed for Office 365. If a netadmin has white-listed all of azureedge.net, then that's another way in. This is all according to Dwyer.
We appreciate that you may have defenses in place to catch exploit kits, malware, phishing pages, and other nasties from being fetched and opened on workstations, of course, besides blocking malicious Azure sub-domains.
Additionally, we're told the trusted domains could potentially be used by network intruders and rogue employees to covertly move stolen data out of an organization: there's nothing suspicious in information trickling out to a legit-looking azureedge.net machine, your firewall security may think.
"To optimize Office 365 traffic, in our case to fix issues with Skype, that list of endpoints is used," Dwyer told The Register on Tuesday in discussing the find. "And by optimize you bypass your normal proxy and perimeter security devices. So if you decide to trust that list, anyone can create an Azure CDN or Azure Blob Storage account and use it to download whatever malware, exploit, tools they want onto your network.
"Perhaps the more potentially problematic scenario is that post exploit, an attacker could use an Azure Blob Storage account to exfiltrate all your corporate data and you might not even know, or even have a record of it, because it is going straight out bypassing your normal network perimeter security."
Redmond is remaining mostly tight-lipped on the matter. Dwyer said that, after reporting the issue back in November, Microsoft sent him a "thanks for sharing" note, a promise to look into it, and a followup claim that it isn't a problem. The issue was eventually closed as a WONTFIX at the end of last week.
"Because Microsoft owns the azureedge.net DNS domain and the DNS servers resolving names in that domain, only Microsoft can create new names and host new CDN profiles in that domain," Microsoftie Joe Davis said.
Dwyer hit back, though: "Anyone with an Azure subscription can request one via the portal to be created by Microsoft automatically. I have concerns that organisations will give *.azureedge.net more trust than it deserves when configuring network perimeter devices like firewalls and proxy servers.
"You're even encouraging network perimeter device vendors to treat my content, and the content of however many Azure CDN customers there are, as Office 365 traffic."
A Microsoft spokesperson was unable to comment before publication. If you have any thoughts, hints and tips, or similar warnings of other security snafus, please do share in the comments... ®