A critical Microsoft Power Platform vulnerability exposed organizations’ authentication data and other secrets, but the tech giant has been accused of handling it poorly.
In March, researchers at vulnerability management company Tenable discovered a critical vulnerability in Microsoft’s Power Platform. The platform, which can be connected to Microsoft 365, Azure and other apps, enables organizations to analyze data, build applications and automate processes.
The security hole was caused by “insufficient access control to Azure Function hosts, which are launched as part of the creation and operation of custom connectors in Microsoft’s Power Platform”.
“It was possible for an attacker who determined the hostname of the Azure Function associated with the custom connector to interact with the underlying code without authentication.With one such hostname, an attacker could determine the hostnames for Azure Functions associated with other customers’ custom connectors, as they differed only by an integer,” Tenable explained in an advisory.
Exploitation of the vulnerability could have allowed an attacker to access cross-tenant applications, and obtain authentication secrets and other sensitive data.
Tenable researchers also warned that this was not only an information disclosure issue, “as being able to access and interact with the unsecured Function hosts and custom connector code could have further impact”.
The flaw was reported to Microsoft in late March, but it took the tech giant several months to roll out even a partial fix, which prompted industry veteran and Tenable CEO Amit Yoran to criticize the company for its handling of the issue.
“To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank,” Yoran said.
Tenable published an advisory with limited information about the flaw on July 31 because Microsoft had only addressed the issue for new applications and promised to roll out a complete fix only by the end of September.
Then, shortly after Yoran complained about the tech giant’s handling of the vulnerability, Microsoft implemented a fix for previously affected hosts as well and Tenable updated its advisory to include technical information and proof-of-concept (PoC) code.
Yoran is not the only one who has criticized Microsoft in recent days over its handling of security issues. The tech giant has also faced accusations from a US official and other respected members of the cybersecurity community.
Update: A Microsoft spokesperson told SecurityWeek that the company’s initial fix in June mitigated the issue for a majority of customers and it has now been fully addressed. Customers do not need to take any action.
“We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption,” the Microsoft spokesperson said.