{"id":1193078,"date":"2024-06-10T13:14:54","date_gmt":"2024-06-10T15:14:54","guid":{"rendered":"https:\/\/teknomers.com\/fr\/vulnerabilite-azure-service-tags-microsoft-met-en-garde-contre-un-abus-potentiel-de-la-part-de-pirates\/"},"modified":"2024-06-10T13:14:59","modified_gmt":"2024-06-10T15:14:59","slug":"vulnerabilite-azure-service-tags-microsoft-met-en-garde-contre-un-abus-potentiel-de-la-part-de-pirates","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/vulnerabilite-azure-service-tags-microsoft-met-en-garde-contre-un-abus-potentiel-de-la-part-de-pirates\/","title":{"rendered":"Vuln\u00e9rabilit\u00e9 Azure Service Tags\u00a0: Microsoft met en garde contre un abus potentiel de la part de pirates"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">10 juin 2024<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">R\u00e9daction<\/span><\/span><span class=\"p-tags\">S\u00e9curit\u00e9\/Vuln\u00e9rabilit\u00e9 du Cloud<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/06\/Vulnerabilite-Azure-Service-Tags-Microsoft-met-en-garde-contre-un.gif\" style=\"clear: left; display: block; float: left; text-align: center;\"><\/a><\/div>\n<p>Microsoft met en garde contre l&#8217;abus potentiel des Azure Service Tags par des acteurs malveillants pour forger des requ\u00eates provenant d&#8217;un service de confiance et contourner les r\u00e8gles de pare-feu, leur permettant ainsi d&#8217;obtenir un acc\u00e8s non autoris\u00e9 aux ressources cloud.<\/p>\n<p>&#8220;Cette affaire met en \u00e9vidence un risque inh\u00e9rent \u00e0 l&#8217;utilisation des balises de service comme m\u00e9canisme unique pour contr\u00f4ler le trafic r\u00e9seau entrant&#8221;, a d\u00e9clar\u00e9 le Microsoft Security Response Center (MSRC). <a rel=\"nofollow noopener\" href=\"https:\/\/msrc.microsoft.com\/blog\/2024\/06\/improved-guidance-for-azure-network-service-tags\/\" target=\"_blank\">dit<\/a> dans une orientation publi\u00e9e la semaine derni\u00e8re.<\/p>\n<p>&#8220;Les balises de service ne doivent pas \u00eatre trait\u00e9es comme une limite de s\u00e9curit\u00e9 et ne doivent \u00eatre utilis\u00e9es que comme m\u00e9canisme de routage en conjonction avec des contr\u00f4les de validation. Les balises de service ne constituent pas un moyen complet de s\u00e9curiser le trafic vers l&#8217;origine d&#8217;un client et ne remplacent pas la validation des entr\u00e9es pour \u00e9viter les vuln\u00e9rabilit\u00e9s. qui peuvent \u00eatre associ\u00e9s \u00e0 des requ\u00eates Web.&#8221;<\/p>\n<div class=\"dog_two clear\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thehackernews.uk\/1p-d-v3\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/06\/Vulnerabilite-Azure-Service-Tags-Microsoft-met-en-garde-contre-un.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>La d\u00e9claration fait suite aux conclusions de la soci\u00e9t\u00e9 de cybers\u00e9curit\u00e9 Tenable, qui a constat\u00e9 que les clients Azure dont les r\u00e8gles de pare-feu reposent sur Azure Service Tags pourraient \u00eatre contourn\u00e9s.  Il n\u2019y a aucune preuve que cette fonctionnalit\u00e9 ait \u00e9t\u00e9 exploit\u00e9e dans la nature.<\/p>\n<p>Le probl\u00e8me, \u00e0 la base, vient du fait que certains services Azure autorisent le trafic entrant via une \u00e9tiquette de service, permettant potentiellement \u00e0 un attaquant d&#8217;un client d&#8217;envoyer des requ\u00eates Web sp\u00e9cialement con\u00e7ues pour acc\u00e9der aux ressources d&#8217;un autre client, en supposant qu&#8217;il ait \u00e9t\u00e9 configur\u00e9 pour autorise le trafic \u00e0 partir du num\u00e9ro de service et n&#8217;effectue aucune authentification propre.<\/p>\n<p>Au moins 10 services Azure ont \u00e9t\u00e9 jug\u00e9s vuln\u00e9rables\u00a0: Azure Application Insights, Azure DevOps, Azure Machine Learning, Azure Logic Apps, Azure Container Registry, Azure Load Testing, Azure API Management, Azure Data Factory, Azure Action Group, Azure AI Video Indexer et Azure Chaos Studio.<\/p>\n<p>&#8220;Cette vuln\u00e9rabilit\u00e9 permet \u00e0 un attaquant de contr\u00f4ler les requ\u00eates c\u00f4t\u00e9 serveur, usurpant ainsi l&#8217;identit\u00e9 des services Azure fiables&#8221;, a d\u00e9clar\u00e9 Liv Matan, chercheuse chez Tenable. <a rel=\"nofollow noopener\" href=\"https:\/\/www.tenable.com\/blog\/these-services-shall-not-pass-abusing-service-tags-to-bypass-azure-firewall-rules-customer\" target=\"_blank\">dit<\/a>.  &#8220;Cela permet \u00e0 l&#8217;attaquant de contourner les contr\u00f4les r\u00e9seau bas\u00e9s sur les balises de service, qui sont souvent utilis\u00e9es pour emp\u00eacher l&#8217;acc\u00e8s public aux actifs, donn\u00e9es et services internes des clients Azure.&#8221;<\/p>\n<p>En r\u00e9ponse \u00e0 la divulgation fin janvier 2024, Microsoft a <a rel=\"nofollow noopener\" href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/virtual-network\/service-tags-overview\" target=\"_blank\">mis \u00e0 jour<\/a> la documentation pour indiquer explicitement que \u00ab les balises de service \u00e0 elles seules ne suffisent pas \u00e0 s\u00e9curiser le trafic sans tenir compte de la nature du service et du trafic qu&#8217;il envoie \u00bb.<\/p>\n<p>Il est \u00e9galement recommand\u00e9 aux clients de revoir leur utilisation des balises de service et de s&#8217;assurer qu&#8217;ils ont adopt\u00e9 des mesures de s\u00e9curit\u00e9 ad\u00e9quates pour authentifier uniquement le trafic r\u00e9seau approuv\u00e9 pour les balises de service.<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant ?  Suivez-nous sur <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Twitter <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"nofollow noopener\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">LinkedIn<\/a> pour lire plus de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2024\/06\/azure-service-tags-vulnerability.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80210 juin 2024\ue804R\u00e9dactionS\u00e9curit\u00e9\/Vuln\u00e9rabilit\u00e9 du Cloud Microsoft met en garde contre l&#8217;abus potentiel des Azure Service Tags par des acteurs malveillants pour forger des requ\u00eates provenant d&#8217;un service de confiance et contourner les r\u00e8gles de pare-feu, leur permettant ainsi d&#8217;obtenir un acc\u00e8s non autoris\u00e9 aux ressources cloud. &#8220;Cette affaire met en \u00e9vidence un risque inh\u00e9rent \u00e0 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1193079,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[12479,200292,21082,4168,841,4165,4161,200267,525,4159,4171,200271,4955,8362,200268,200269,200270,901,4394,5301,128318,4172,4169,2314,129109,4166,3667,4164],"class_list":["post-1193078","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-abus","tag-actualites-sur-la-cybersecurite","tag-azure","tag-comment-pirater","tag-contre","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-cyberactualites","tag-garde","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-logiciel-malveillant-rancongiciel","tag-met","tag-microsoft","tag-mises-a-jour-sur-la-cybersecurite","tag-nouvelles-des-pirates","tag-nouvelles-sur-le-piratage","tag-part","tag-pirates","tag-potentiel","tag-securite-des-informations","tag-securite-informatique","tag-securite-internet","tag-service","tag-tags","tag-violation-de-donnees","tag-vulnerabilite","tag-vulnerabilite-logicielle"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1193078","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=1193078"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1193078\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/1193079"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=1193078"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=1193078"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=1193078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}