Unauthorised Access to Cross-Tenant Applications in Microsoft Power Platform

Introduction

Security researchers at Tenable discovered a significant vulnerability in Microsoft’s Power Platform. This vulnerability allowed unauthorized access to cross-tenant applications and sensitive data, including but not limited to authentication secrets. The issue arose due to insufficient access control to Azure Function hosts, which are initiated during the creation and operation of custom connectors in Microsoft’s Power Platform, including Power Apps and Power Automation. The implications of this vulnerability are severe, as it could potentially allow an attacker to gain unauthorized access to sensitive data across different tenants, leading to data breaches and compromising the security of multiple applications.

Details of the Vulnerability

The vulnerability, reported to Microsoft under Coordinated Vulnerability Disclosure (CVD) on March 30, 2023, pertained to Power Platform Custom Connectors using Custom Code. This feature, which allows customers to write code for custom connectors, was found to be susceptible to unauthorized access to Custom Code functions used for Power Platform custom connectors. The potential impact could be unintended information disclosure if secrets or other sensitive information were embedded in the Custom Code function.

Investigation and Mitigation

Upon investigation, Microsoft identified anomalous access only by the security researcher who reported the incident, with no evidence of access by other actors. All impacted customers have been notified of this anomalous access by the researcher through the Microsoft 365 Admin Center (MC665159).

Microsoft issued an initial fix on June 7, 2023, to mitigate this issue for a majority of customers. However, a subsequent report from Tenable on July 10, 2023, revealed that a very small subset of Custom Code in a soft deleted state were still impacted. Microsoft engineering took steps to ensure and validate complete mitigation for any potentially remaining customers using Custom Code functions. This work was completed on August 2, 2023.

MITRE ATT&CK TTPs

The following MITRE ATT&CK TTPs (Tactics, Techniques, and Procedures) may be relevant to this vulnerability:

• T1078: Valid Accounts – The attacker may use valid accounts to interact with a system in a way that results in an information disclosure vulnerability.
• T1190: Exploit Public-Facing Application – The attacker may exploit a software vulnerability in a public-facing web application to gain unauthorized access to data.
• T1195: Supply Chain Compromise – The attacker may target the software supply chain to exploit this vulnerability, potentially affecting multiple tenants.

Mitigation and Forensic Analysis Steps

1. Review Access Logs: Review Azure Function host access logs for any unauthorized or suspicious activity. Look for any unusual patterns or access from unknown IP addresses. Specifically, check the logs for Azure Functions and Power Platform custom connectors.
2. Check for Unauthorized Access: Check for any unauthorized access to cross-tenant applications and sensitive data. This could be done by reviewing application logs and data access logs.
3. Review Custom Code: Review any custom code used in Power Platform custom connectors for potential vulnerabilities or embedded secrets.
4. Update Systems: Ensure that all systems are updated with the latest patches and updates from Microsoft. This includes the fix issued by Microsoft to mitigate this issue.
5. Monitor for Anomalous Activity: Continuously monitor systems for any anomalous activity that could indicate exploitation of this vulnerability.
6. Check Microsoft 365 Admin Center Notifications: Microsoft has notified affected customers about this issue via Microsoft 365 Admin Center (MC665159). If you did not receive this notification, then no action is required.

The Cascading Effect and Supply Chain Vulnerabilities

As the focus on cloud provider vulnerabilities increases, it’s important to understand the cascading effect of vulnerability discovery. This phenomenon, as described in a Threat Intel Report article, refers to the pattern where the announcement of a vulnerability in a popular product leads to increased scrutiny from security researchers and malicious actors alike. This heightened attention often results in the discovery of additional vulnerabilities in the same product, creating a cascade of vulnerability announcements.

Cloud providers are inherently vulnerable to this cascading effect due to the complexity and widespread use of their products. When a vulnerability is announced, it not only reveals a weakness in the product but also signals that the product or system in question may have other, yet undiscovered, vulnerabilities. This can lead to a chain reaction of vulnerability discoveries, each one potentially more severe than the last.

This cascading effect is particularly relevant in the context of supply chain vulnerabilities. Cloud providers are a crucial part of many organizations’ supply chains, and a vulnerability in a cloud provider’s product can have far-reaching implications. It can lead to unauthorized access to sensitive data across different tenants, leading to data breaches and compromising the security of multiple applications.

As such, it’s reasonable to expect that as scrutiny on cloud providers increases, we will see more vulnerabilities like the one discovered in Microsoft’s Power Platform. This underscores the importance of continuous monitoring and proactive threat hunting in cloud environments. Organizations should not only focus on patching known vulnerabilities but also invest in detecting and addressing new vulnerabilities as they emerge.

Remember, the best defense against any threat is a multi-layered security approach that includes regular patching, monitoring, and user education.

For more details, please refer to the original article from Tenable.