Tenable Research has called out Microsoft for a lack of transparency when it comes to cloud vulnerability disclosures.
On March 10, Tenable reported two privilege escalation vulnerabilities that affected the "underlying infrastructure" of Azure Synapse Analytics to Microsoft. Exploitation of the flaws could potentially lead to a compromise of other Microsoft customers' data, Tenable warned. While Microsoft did release patches beginning April 30, the disclosure process raised significant concerns, which Tenable addressed in several blog posts Monday.
Tenable accused Microsoft of a communication disconnect and of "downplaying" the severity of the two Azure vulnerabilities. More importantly, however, the security vendor said it speaks to a broader issue within the CVE system, which does not include cloud flaws.
"These flaws and our researchers' interactions with Microsoft demonstrate the difficulties involved in addressing security-related issues in cloud environments," the blog post read. "Customers are entirely beholden to the cloud providers to fix reported issues."
While Tenable said both vendors initially appeared to agree on the critical severity of the Azure vulnerabilities, Microsoft changed classification from a security issue to a "best practice recommendation" in the final days of the disclosure process, according to the blog. Additionally, Tenable said Microsoft declined a bounty or acknowledgment of the finding.
Tenable CEO Amit Yoran personally addressed the transparency concerns in a separate statement on LinkedIn on Monday. He referred to Microsoft as a fox guarding the henhouse, and said that to date, Microsoft customers have not been notified of the two bugs that Tenable ranked as critical.
"After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk," Yoran wrote. "It was only after being told that we were going to go public, that their story changed … 89 days after the initial vulnerability notification … when they privately acknowledged the severity of the security issue."
A comprehensive disclosure timeline can be critical for enterprise security. Yoran referred to the issue of silent patching as a "repeated pattern of behavior," particularly with Microsoft. He noted other vendors including Orca Security, Wiz and Fortinet had similar experiences with the tech giant.
One prime example of downplaying security incidents occurred in May, when a Microsoft zero-day vulnerability, dubbed Follina by independent security researcher Kevin Beaumont, was exploited in the wild. While Microsoft was notified of the flaw in April, the company determined it was not a security-related issue. Workarounds were not issued until after active exploitation.
"Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack … or if they fell victim to attack prior to a vulnerability being patched," Yoran wrote.
Further communication inconsistences
James Sebree, principal research engineer at Tenable, detailed the interaction in a separate blog post Monday, in which he cited a "major communications disconnect" between Microsoft Security Response Center and the Synapse Analytics development team.
Sebree said his email and researcher portal requests for status updates went unanswered. It wasn't until he reached out through Twitter that he received any responses, according to the blog.
"It took entirely too much effort to get any sort of meaningful response from our case agent," Sebree wrote in the blog post.
He confirmed the patch was made silently with no notification to Tenable.
"Unfortunately, communication errors and downplaying the severity of issues in their products and cloud offerings is far from uncommon behavior for MSRC as of late," Sebree wrote.
Bob Huber, chief security officer and head of research at Tenable, told SearchSecurity that Tenable has not had prior experiences like this one with Microsoft regarding cloud vulnerabilities. While he said there is a need for convention or taxonomy for identifying cloud flaws to help enterprises categorize and prioritize risks, he's much more concerned about transparency and disclosure.
"Given the issues primarily require no interaction on behalf of the users -- as they are typically fixed by the provider -- a CVE or CWE may not be the exact answer," Huber said in an email to SearchSecurity.
Microsoft did not respond to requests for comment at press time.