$40k bounty for complete read access to any customer database using the "public" networking access.
Caused by a bad regexp in the authentication mechanism acting as the first security layer, and lack of network-level inter-tenant isolation as a second layer of security.
I have been recommending clients to steer clear of anything Azure since it became obvious the platform is meant to lock in businesses to a seemingly workable system that eventually fails to force the client to pay for enterprise support.
Wasn't Wiz CEO previous job leading Microsoft Israel RnD?
After his previous cyber security startup (Adallom) was aquired by Microsoft?
Azure security stance was under his supervision [0].
Kind of ironic that his new security startup uncovers his failings at his old job...
Are current security monitoring systems - and I suppose a company like MS would be using state-of-the-art - not yet capable of detecting such anomalous behavior? A user gained root access, tried to access another internal IP address, tested multiple ports. I assume all these get logged at the kernel / hypervisor / firewall level...
There's a certain level of tech schaudenfreude when it comes to Microsoft failing. It's hard to say that Azure has more issues than AWS based on gut feel of recent white hat blog post volume.
I think AWSs very granular permissions using IAM helps. Even tho most people I talk to hate it. I quite like it. Start out with a role with no permissions and open only what’s required for your stuff to work.
I've found that AWS IAM is amazing compared to Azure AD. With AWS you can do per-workload account vending and grant account owners full "AdministratorAccess", because IAM resources are tied to the account. In Azure it's batshit crazy: almost all IAM resources - roles, groups, principals etc - are tied to the overarching AD tenant and not to the AWS Account equivilent, a subscription. In short this means that I, the owner of a subscription (broad powers), cannot add a new IAM role or associate it with a resource for user assignment. It gets worse... Azure AD limits are tenant wide leading to big orgs refusing to add IAM primatives because they might hit a service limit. And the lack of ABAC makes KeyVault almost unusable compared to AWS Secrets Manager. But hey, at least I have system assigned managed identities for SQL logins, that was kinda cool until AWS introduced IAM auth for RDS.
When Flexible Server was first announced, I’m sure I remember them stating it’ll use Private (VNet) networking by default. Seems strange they’ve changed tact there.
Either way, we migrated to Flexible Server on day one of GA purely for the performance benefits (Linux) over Single Server (Windows). While there has been some painful moments, also around High Availability, the service has been a huge leap forward.
Caused by a bad regexp in the authentication mechanism acting as the first security layer, and lack of network-level inter-tenant isolation as a second layer of security.