最后更新于2023年12月27日星期三15:11:19 GMT
3月9日之前, 2023, Microsoft Defender for Cloud incorrectly marked some Azure virtual machines as having secured management ports including SSH (port 22/TCP), RDP(端口3389/TCP)和WINRM(端口5985/TCP), 而实际上,这些端口中的一个或多个暴露给了Internet. This occured when the Network Security Group (NSG) associated with the virtual machine contained a rule that allowed access to one of these ports from the IPv4 range “0.0.0.0/0”. Defender for Cloud would only detect an open management port if the source in the port rule is set to the literal alias of “Any”. 尽管cidr表示的“/0”网络通常被视为“Any”的同义词,“它们在《十大赌博正规信誉网址》中并不等同于Cloud的逻辑.
请注意,在撰写本文时, the same issue appears when using the IPv6 range “::/0” as a synonym for "any" 和 Microsoft has not yet fixed this version of the vulnerability.
产品描述
Microsoft Defender for Cloud is a cloud security posture management (CSPM) solution that provides several security capabilities, including the ability to detect misconfigurations in Azure 和 multi-cloud environments. 云的防御器详细描述在 供应商的网站.
Security groups are a concept that exists in both Azure 和 Amazon Web 服务 (AWS) cloud environments. 类似于防火墙, a security group allows you to create rules that limit what IP addresses/ranges can access which ports on one or more virtual machines in the cloud environment.
信贷
This issue was discovered by 亚伦Sawitsky, Senior 经理 for Cloud Product Integrations at Rapid7. 它是按照 Rapid7的漏洞披露策略.
剥削
If an Azure Virtual Machine is associated with a Network Security Group with “management ports” such as RDP (Remote Desktop Protocol on port 3389/TCP) or SSH (Secure Shell protocol on port 22/TCP) exposed to the "Any" pseudo-class for "Source," Microsoft Defender for Cloud will create a security recommendation to highlight that the management port is open to the internet, which allows an administrator to easily recognize that there is a virtual machine in their environment with one or more over-exposed server management ports.
然而, 3月9日之前, if the Network Security Group was instead configured such that a “management port” like RDP or SSH was exposed to “0.0.0.0/0,” as a source (which is the entire IPv4 range of all possible addresses) no security recommendation was created 和 the configuration was incorrectly marked as “Healthy.”
效果如下图所示:
因为这个网络范围混乱, Azure users can easily 和 accidentally expose management ports to the entire internet 和 evade detection by Defender for Cloud.
We suspect that other Defender for Cloud features that check for the "any-ness" of ingress tests are similarly affected, 但我们还没有全面测试这个问题的其他表现.
影响
We can imagine two cases where this unexpected behavior in Defender for Cloud could be useful for attackers. 第一个, it's likely that administrators are unaware of any practical semantic difference between "Any" 和 "0.0.0.0/0" or “::/0” since these terms are often used interchangeably in other networking products, 最明显的是, 与配置AWS安全组时一样. 结果是, 合法管理员可能会意外地应用此错误配置, but remain undetected by the person or process responsible for monitoring Defender for Cloud security recommendations. 这是大多数管理员最可能面临的情况.
更多的恶意, an attacker who has already compromised a virtual Azure-hosted machine could leverage this confusion to avoid post-exploit detection by the Defender for Cloud. 这使得重复, post-exploit access from several different sources much easier for more sophisticated attackers. 在这种情况下, the "attacker" will often be an insider who is merely subverting their own IT security organization for ostensibly virtuous, just-get-it-done原因, 比如在生产环境中测试配置, 但忘记重新限制暴露.
Note that more exotic combinations of subnets could be used to achieve the same effect; for example, 管理员可以定义“0”.0.0.0/1”和“128”.0.0.1/1”和1“0”的效果是一样的.0.0.0/0”源规则. Or, 更聪明的是, 定义一组子网,它们加起来等于“几乎任意”,“这足以让一个深思熟虑的攻击者确保继续, 机警的接触. 然而, this kind of configuration is extremely unlikely to be implemented by accident (as described in the first case), 因此, 几乎肯定超出了云卫士用例的合理范围. 毕竟, Defender for Cloud旨在捕获常见的错误配置, 不一定是故意让人困惑的构型.
修复
因为Defender for Cloud是一个基于云的解决方案, users should not have to do anything special to enjoy the benefits of Microsoft's update. 话虽如此, customers should remember that the update has not resolved the issue when using the IPV6 range ::/0 as a synonym for “any.结果是, customers should search their Azure environments for any Security Groups configured to allow ingress from a source of “::/0” 和 seriously consider reconfiguring these rules to be more restrictive. 除了, customers should regularly subject their cloud infrastructure to auditing 和 penetration tests to verify that their CSPM is actually catching common misconfigurations. We have already validated that this issue does not impact Rapid7’s InsightCloudSec CSPM solution. 除了, Defender for Cloud customers who have previously used the "/0" CIDR notation in their security group rules should review access logs to ensure that malicious actors were not evading the presumed detection capabilities provided by Defender for Cloud.
披露时间表
2023年1月:Rapid7云安全研究人员发现了这个问题 亚伦Sawitsky
2023年1月11日,星期三:向微软初步披露
2023年1月12日星期四:供应商进一步解释和验证细节
2023年2月6日,周一:供应商计划修复
2023年3月9日星期四:修复“0”.0.0.由Rapid7确认
2023年3月14日星期二:这一披露
