Tenable chairman and chief executive Amit Yoran said in a blog post that his company had discovered two flaws, one of which it considered critical, in Microsoft's Azure platform, both in the Synapse Analytics part of Azure.
Synapse Analytics is used for machine learning, data aggregation and similar computational tasks.
One of these flaws was a privilege escalation flaw with the context of a Spark VM. The second allowed the poisoning of the hosts file on all nodes in a Spark pool.
|
Tenable researcher James Sebree wrote that the company had rated the issue as a critical severity, basing its reasoning on the concept of the Spark VM itself.
He said: "During the disclosure process, Microsoft representatives initially seemed to agree that these were critical issues. A patch for the privilege escalation issue was developed and implemented without further information or clarification being required from Tenable Research.
"This patch was also made silently and no notification was provided to Tenable. We had to discover this information for ourselves.
"During the final weeks of the disclosure process, MSRC [Microsoft Security Research Centre] began attempting to downplay this issue and classified it as a 'best practice recommendation' rather than a security issue. Their team stated the following (typos are Microsoft’s): '[W]e do not consider this to be a important severity security issue but rather a better practice'.”
Yoran said this was not an isolated case. "This is a repeated pattern of behaviour. Several security companies have written about their vulnerability notification interactions with Microsoft, and Microsoft’s dismissive attitude about the risk that vulnerabilities present to their customers," he said.
"For an IT infrastructure provider or a cloud service provider that is not being transparent, the stakes are raised exponentially.
"Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack… or if they fell victim to attack prior to a vulnerability being patched.
"And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy."
Yoran pointed to the case of FireEye/Mandiant which provided what he said was "an exemplary model for responsible disclosure when the company disclosed their breach, even prior to the forensic evidence resulting in the SolarWinds revelations of 2020".
He said the answer did not lie in just asking vendors to do better. "Holding a cloud or technology provider to a standard of care and transparency is essential. Independent audit and assessment of IT infrastructure and cloud service providers should be mandatory.
"The fox is guarding the henhouse. Trust but verify. The simple lessons we have been taught since elementary school remain applicable in cyber."