NetSPI disclosed the threat research
findings of Vice President of Research Nick Landers who discovered and
reported a cross-tenant compromise in Power Platform Connectors, a first
party provider hosted in Microsoft Azure.
In close collaboration with NetSPI, Microsoft quickly fixed the
issue. Due to the cross-tenant implications of this vulnerability, if it
were left unresolved, malicious attackers could have jumped between
tenants using the Power Platform Connectors backend and gained access to
sensitive data, Azure access tokens, and more.
As background, Azure features a large suite of automation tools, including Logic Apps and the Power Platform. On-Prem Data Gateways
extend these automation tools, allowing actions to be carried out by a
connected agent installed locally in customer networks - which is where
Landers found the vulnerability. Originally, these gateways were
intended for personal use only, but users can also connect them to an
Azure tenant and make them available to the larger subscription. In
Landers' research, he inspected how these Logic Apps interact with data
gateways and discovered remote code execution opportunities on both the
gateways themselves and the supporting Power Platform Connectors hosted
in Azure, allowing for the compromise of cross-tenant data.
"This vulnerability is yet another example of just how pervasive
deserialization flaws continue to be, especially for large technology
vendors like Microsoft," explains Landers. "Security teams should be
aware of deserialization-based vulnerabilities, assume most connected
systems and apps are exploitable, and understand that the simple
exploitation might be buried in a bit of technical complexity. I welcome
the research community to join me in continued deserialization research
as we work to make cross-tenant environments more secure."
Landers worked closely with the Microsoft Security Response Center
(MSRC) to disclose and remediate the issue. As a resolution, the Power
Platform team completely rebuilt their serialization binder to enforce
stricter whitelists, while creating distinct binders for both gateway
and cloud environments.
A technical explanation of the vulnerability discovery can be found in the NetSPI technical blog,
Riding the Azure Service Bus (Relay) into Power Platform.