News

Microsoft Declares Power Platform Flaw, Found by Tenable, To Be Fixed

Microsoft also suggested that it takes time to fix some vulnerabilities, after getting criticism from Tenable's CEO.

• By Kurt Mackie
• 08/07/2023

Microsoft on Friday announced that it had fixed security issues with "Power Platform Custom Connectors using Custom Code" that had been identified by security solutions firm Tenable back in March 2023.  

"This issue has been fully addressed for all customers and no customer remediation action is required," the announcement indicated. The only breach detected by Microsoft was the activity of the "security researcher that reported the incident, and no other actors."

Microsoft had notified potentially affected customers on "4 August 2023" via Message Center post MC665159. Message Center posts only get seen by account administrators, so the Friday Microsoft post was a somewhat rare public announcement.

Microsoft likely went public in response to open criticisms by Amit Yoran, CEO of Tenable, who characterized Microsoft's slow response as being "grossly irresponsible" security practices, and lacking in transparency.

Microsoft's Friday post seemed to downplay the vulnerability's risk, saying that "moving too quickly could result in more customer disruption (in terms of availability) than the risk customers bear from an embargoed security vulnerability." It took Microsoft about five months to issue a fix that addressed the issue.

There's no action for Power Platform users to take because Microsoft likely changed how the Azure Function service works on its Azure infrastructure. Tenable had explained that "this Azure Function is deployed and managed by Microsoft, not as part of the customer’s environment."

Tenable had discovered that it was possible for an attacker to determine "the hostname of an Azure Function associated with the custom connector." An attacker could then "interact with the function, as defined by the custom connector code, without authentication." This attack scenario gave an attacker the ability to "intercept OAuth client IDs and secrets, as well as other forms of authentication." It was easy to use this approach to attack other Azure customer tenancies as well, Tenable indicated.

Microsoft explained that the Power Platform Custom Connectors using Custom Code feature lets its customers "write code for custom connectors." The vulnerability, now addressed, could have led to "unauthorized access to Custom Code functions," Microsoft admitted. However, it also characterized the vulnerability as an "information disclosure" issue.

That assertion had been contested by Tenable, in its description, as follows:

It should be noted that this is not exclusively an issue of information disclosure, as being able to access and interact with the unsecured Function hosts, and trigger behavior defined by custom connector code, could have further impact. However, because of the nature of the service, the impact would vary for each individual connector, and would be difficult to quantify without exhaustive testing.

Microsoft's Friday announcement asserted that it generally monitors for exploits when a security issue has been exposed by researchers.

"In order to protect our customers from an exploit of an embargoed security vulnerability, we also start to monitor any reported security vulnerability of active exploitation and move swiftly if we see any active exploit," the announcement indicated.

Microsoft's responsiveness to security issues was criticized by security solutions companies Tenable and CrowdStrike. It comes shortly after Microsoft faced criticism on Capitol Hill for a purported hack by China, where Senator Wyden blamed the company for its "negligent cybersecurity practices" in a July 27 letter (PDF).