NetSPI VP of Research finds cross-tenant compromise in popular Azure automation tool, works closely with Microsoft to remediate the issue.
Minneapolis, MN – NetSPI, the leader in offensive security, today disclosed the threat research findings of Vice President of Research Nick Landers who discovered and reported a cross-tenant compromise in Power Platform Connectors, a first party provider hosted in Microsoft Azure.
In close collaboration with NetSPI, Microsoft quickly fixed the issue. Due to the cross-tenant implications of this vulnerability, if it were left unresolved, malicious attackers could have jumped between tenants using the Power Platform Connectors backend and gained access to sensitive data, Azure access tokens, and more.
As background, Azure features a large suite of automation tools, including Logic Apps and the Power Platform. On-Prem Data Gateways extend these automation tools, allowing actions to be carried out by a connected agent installed locally in customer networks – which is where Landers found the vulnerability. Originally, these gateways were intended for personal use only, but users can also connect them to an Azure tenant and make them available to the larger subscription. In Landers’ research, he inspected how these Logic Apps interact with data gateways and discovered remote code execution opportunities on both the gateways themselves and the supporting Power Platform Connectors hosted in Azure, allowing for the compromise of cross-tenant data.
“This vulnerability is yet another example of just how pervasive deserialization flaws continue to be, especially for large technology vendors like Microsoft,” explains Landers. “Security teams should be aware of deserialization-based vulnerabilities, assume most connected systems and apps are exploitable, and understand that the simple exploitation might be buried in a bit of technical complexity. I welcome the research community to join me in continued deserialization research as we work to make cross-tenant environments more secure.”
Landers worked closely with the Microsoft Security Response Center (MSRC) to disclose and remediate the issue. As a resolution, the Power Platform team completely rebuilt their serialization binder to enforce stricter whitelists, while creating distinct binders for both gateway and cloud environments.
NetSPI is the leader in enterprise penetration testing, attack surface management, and breach and attack simulation – the most comprehensive suite of offensive security solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. For over 20 years, its global cybersecurity experts have been committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and the top 50 companies in the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with global offices across the U.S., Canada, the UK, and India.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.