Microsoft, as usual, quietly fixed an important security vulnerability in the Azure service (ACS) after researchers from Mnemonic discovered that the problematic function allows attacks to bypass the network between tenants.

As the researchers found out, the vulnerability allows circumventing the identification perimeter of Azure Cognitive Search instances isolated from the Internet and provides inter-client access to the ACS instance data plane from anywhere, including instances without explicit access to the network.

The error affected all instances of the Azure service with the "allow access from the portal" function activated.

By enabling this feature, clients actually allowed inter-client access to the data plane of their ACS instances from anywhere, regardless of the actual network configurations of the latter.

Moreover, this includes instances that are open exclusively on private endpoints, as well as instances without explicit access to the network, even without any private, service or public endpoint.

With a simple push of a button, customers could enable a vulnerable feature that effectively reset the entire network perimeter configured around their ACS instances without providing any real identification perimeter, allowing anyone to create a valid access token for ARM.

Microsoft paid a reward of $10,000 and raised the severity level of the bug from moderate to serious due to the ease of operation and the risk of exploitation for many users.

At some point in the disclosure process, Microsof stated that the fix was delayed because the fix required a significant design level change.

However, according to researcher Emilien Sokka, the vulnerability, dubbed ACSESSED, was still fixed by Microsoft without an official announcement at the end of August 2022, about six months after it was first reported.