Microsoft Azure Services Vulnerable To SSRF

Contents

Summary Of The Attack

  • On January 17, 2023, four vulnerabilities in Microsoft Azure services were vulnerable to server-side request forgery (SSRF) attacks.
  • Services included Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.
  • According to Orca researcher Lidor Ben Shitrit, the impact of these SSRF vulnerabilities on Microsoft Azure Services could have been significant if left unpatched.
  • Due to the swift action taken by Microsoft, these vulnerabilities were mitigated before they could cause any major damage.
.

What Happened?

On January 17, 2023, Orca Security reported that they had discovered four vulnerabilities in Microsoft Azure services that were vulnerable to server-side request forgery (SSRF) attacks.

The affected services included Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.

Microsoft was promptly notified of the vulnerabilities and quickly took action to address and remediate them. The vulnerabilities were determined to be low risk, as they did not allow access to sensitive information or Azure backend services.

No customer action was required for the impacted services.

How The Microsft Azure SSRF Vulnerability Works

A Server-side request forgery (SSRF) attack is a type of attack that allows an attacker to manipulate a server to execute arbitrary HTTP requests on behalf of the server.

This can have serious consequences as it enables a malicious actor to read or update internal resources. Threat actors are then able to pivot to other parts of the network and breach otherwise unreachable systems to extract valuable data.

The four Azure Services with SSRF vulnerabilities are listed below:

  1. On October 8, 2022, a weakness in the hosted Digital Twins Explorer was uncovered that could have allowed for SSRF attacks. This vulnerability was quickly addressed and a fix was released on October 17, 2022. To ensure the security of the service, Azure Digital Twins has implemented measures to prevent access to internal Azure services through IDMS and wire server.
  2. On November 12, 2022, a weakness was exposed in the Azure Functions Service. This SSRF vulnerability could have enabled unauthenticated users to craft specific URLs, which in turn could have given attackers the ability to gather information about local ports. Microsoft released a solution on December 9, 2022.
  3. A weakness in Azure API Management Service was exposed also on November 12, 2022, allowing a malicious actor the potential to exploit loopback URLs and abuse the server. Swift action was taken by the APIM engineering team, releasing a fix to block access to local ports and resources on the VM by November 16, 2022.
  4. The machine learning service was hit with an SSRF vulnerability on December 2, 2022, however, it was deemed a low risk as it failed to expose any confidential information or tokens and did not grant access to sensitive internal endpoints. The vulnerability was patched on December 20, 2022.

 

Two of the vulnerabilities were found in Azure Functions and Azure Digital Twins and could be exploited without requiring any authentication, allowing a threat actor to seize control of a server without even having an Azure account.

Three of the flaws were rated as “Important” in severity, while one was rated as “Low.”

However, all the weaknesses could be leveraged to manipulate a server to mount further attacks against a susceptible target.

Free Security Policy Templates

Get a step ahead of your cybersecurity goals with our comprehensive templates.

IT Security Policy Templates

What Was The Impact?

According to Orca researcher Lidor Ben Shitrit, the impact of these SSRF vulnerabilities on Microsoft Azure Services could have been significant if left unpatched.

An attacker could have used these vulnerabilities to gain access to internal resources, such as the hosts IMDS, and obtain sensitive information, including tokens, hostname, security group, MAC address, and user data.

This information could have been used to move to other hosts or enable remote code execution.

Thankfully, due to the swift action taken by Microsoft, these vulnerabilities were mitigated before they could cause any major damage.

Some experts suggest that the use of stolen employee tokens, which were likely obtained via an API, highlights the importance of strong authentication measures to protect against unauthorized access.

Additionally, the incident has similarities with a recent security incident disclosed by authentication firm Okta, which also had its code repositories accessed and copied.

It is possible that the same group or individual may be responsible for both hacks. The investigation is still ongoing and more information may become available in the future.

How To Keep Your Azure Environment Secure

When it comes to keeping your cloud infrastructure secure, there are a few key steps you can take to minimize the risk of SSRF vulnerabilities:

  • Patch Cloud Vulnerabilities
  • Continuous Monitoring
  • Principal Of Least Privilege
  • Network Segmentation
  • CSP Built In Security Features

First and foremost, it is important to stay up to date on the latest security patches and updates for all of your cloud services. This includes not only the services provided by your cloud provider but also any third-party applications or tools that you may be using.

Related Article: What Is Cloud Penetration Testing? (& When Do You Need It?)

Additionally, implementing a robust security monitoring and incident response plan can help you quickly detect and respond to any potential SSRF attacks.

This includes monitoring for unusual network traffic, as well as implementing tools and technologies to detect and block malicious activity.

Another important step is to implement a least privilege access model, which ensures that users and applications only have the access they need to perform their intended functions. This can help to prevent malicious actors from leveraging SSRF vulnerabilities to gain access to sensitive internal resources.

Additionally, implementing network segmentation can also help to limit the scope of any potential SSRF attacks, by isolating critical systems and data from less sensitive systems.

It’s also worth noting that many cloud providers, including Microsoft, offer additional security services and features to help protect against SSRF attacks.

For example, Azure offers a number of security services, including Azure Security Center, Azure Policy, and Azure Active Directory. This can be used to help monitor and protect your cloud infrastructure.

By taking a holistic approach to cloud security, you can better protect your organization against SSRF attacks, as well as a wide range of other cyber threats.

Article by

Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.

Share This Article

Our Editorial Process

Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.

Categories

The Breach Report

Our team of security researchers analyze recent cyber attacks, explain the impact, and provide actionable steps to keep you ahead of the trends.

Related Breaches