Tenable slams Microsoft over Azure vulnerabilities

Tenable Research has called out Microsoft for a lack of transparency when it comes to cloud vulnerability disclosures.

On March 10, Tenable reported two privilege escalation vulnerabilities that affected the "underlying infrastructure" of Azure Synapse Analytics to Microsoft. Exploitation of the flaws could potentially lead to a compromise of other Microsoft customers' data, Tenable warned. While Microsoft did release patches beginning April 30, the disclosure process raised significant concerns, which Tenable addressed in several blog posts Monday.

Tenable accused Microsoft of a communication disconnect and of "downplaying" the severity of the two Azure vulnerabilities. More importantly, however, the security vendor said it speaks to a broader issue within the CVE system, which does not include cloud flaws.

"These flaws and our researchers' interactions with Microsoft demonstrate the difficulties involved in addressing security-related issues in cloud environments," the blog post read. "Customers are entirely beholden to the cloud providers to fix reported issues."

While Tenable said both vendors initially appeared to agree on the critical severity of the Azure vulnerabilities, Microsoft changed classification from a security issue to a "best practice recommendation" in the final days of the disclosure process, according to the blog. Additionally, Tenable said Microsoft declined a bounty or acknowledgment of the finding.

Tenable CEO Amit Yoran personally addressed the transparency concerns in a separate statement on LinkedIn on Monday. He referred to Microsoft as a fox guarding the henhouse, and said that to date, Microsoft customers have not been notified of the two bugs that Tenable ranked as critical.

"After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk," Yoran wrote. "It was only after being told that we were going to go public, that their story changed … 89 days after the initial vulnerability notification … when they privately acknowledged the severity of the security issue."

A comprehensive disclosure timeline can be critical for enterprise security. Yoran referred to the issue of silent patching as a "repeated pattern of behavior," particularly with Microsoft. He noted other vendors including Orca Security, Wiz and Fortinet had similar experiences with the tech giant.

One prime example of downplaying security incidents occurred in May, when a Microsoft zero-day vulnerability, dubbed Follina by independent security researcher Kevin Beaumont, was exploited in the wild. While Microsoft was notified of the flaw in April, the company determined it was not a security-related issue. Workarounds were not issued until after active exploitation.

"Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack … or if they fell victim to attack prior to a vulnerability being patched," Yoran wrote.