Microsoft Addresses Misconfigured Token Exposing 38TB of Microsoft Data
The use of Microsoft's Shared Access Signature tokens can be a security problem, according to Wiz Research.
Microsoft indicated on Monday that it had revoked an overly permissioned Shared Access Signature (SAS) token, said to have exposed "38TB" of internal Microsoft data.
The action comes after "responsible disclosure" was provided by Wiz Research, a security solutions firm. Its researchers offered a thorough analysis of the problem in this announcement.
Wiz researchers explained that an SAS Account token was being used by Microsoft's AI research team to share "open source training data on GitHub," a developer code repository owned by Microsoft. The SAS Account token permitted data sharing from Azure Storage accounts. However, rather than being limited to specific files, it was "configured to share the entire storage account," Wiz Research explained.
That misconfiguration gave access to 38TB of backup data from two Microsoft employees, including "secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages," the Wiz researchers added.
Microsoft subsequently invalidated the over-permissioned SAS Account token on June 24, two days after Wiz Research first contacted the Microsoft Security Response Center about the issue. However, the token was first committed to GitHub on Oct. 5, 2021, according to Wiz Research, making the potential exposure period far longer than just a couple of days.
Microsoft contended that its customers were not affected by the issue:
No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue.
The Wiz researchers, though, explained that the over-permissioned SAS Account token had granted "'full control' permissions instead of read-only," so a potential attacker had the ability to "delete and overwrite existing files." They described the use of SAS Account tokens as a likely security problem for organizations:
Due to a lack of monitoring and governance, SAS tokens pose a security risk, and their usage should be as limited as possible. These tokens are very hard to track, as Microsoft does not provide a centralized way to manage them within the Azure portal. In addition, these tokens can be configured to last effectively forever, with no upper limit on their expiry time. Therefore, using Account SAS tokens for external sharing is unsafe and should be avoided.
SAS tokens get created on the client side, and so they aren't an Azure-managed item, Wiz researchers explained. Moreover, revoking the associated key will revoke all other tokens associated with that key, so it can be a management dilemma, they added.
Microsoft, though, didn't appear to agree with that viewpoint, per this statement:
Like any key-based authentication mechanism, a SAS can be revoked at any time by rotating the parent key. In addition, SAS supports fine-grained revocation at the container level, without having to rotate storage account keys.
Microsoft advised organizations to use Azure Monitor and Azure Storage Logs and a "SAS Expiration Policy to detect clients using long-lived SAS URLs" as a best practice. However, Microsoft also admitted that its own overall scanning for the issue had incorrectly flagged it as a "false positive." It has now fixed that issue.
"Microsoft has expanded this detection to include any SAS token that may have overly permissive expirations or privileges," it explained. Microsoft also said it is "making ongoing improvements to further harden the SAS token feature and continue to evaluate the service to bolster our secure-by-default posture."
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.