Previous
Learn about PurpleSec’s fully managed vulnerability management services.
Author: Dalibor Gašić/ Last Updated: 01/22/2022
Reviewed By: Michael Swanagan, CISSP, CISA, CISM
View Our: Editorial Process
Table Of Contents
On January 17, 2023, Orca Security reported that they had discovered four vulnerabilities in Microsoft Azure services that were vulnerable to server-side request forgery (SSRF) attacks.
The affected services included Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.
Microsoft was promptly notified of the vulnerabilities and quickly took action to address and remediate them. The vulnerabilities were determined to be low risk, as they did not allow access to sensitive information or Azure backend services.
No customer action was required for the impacted services.
A Server-side request forgery (SSRF) attack is a type of attack that allows an attacker to manipulate a server to execute arbitrary HTTP requests on behalf of the server.
This can have serious consequences as it enables a malicious actor to read or update internal resources. Threat actors are then able to pivot to other parts of the network and breach otherwise unreachable systems to extract valuable data.
The four Azure Services with SSRF vulnerabilities are listed below:
Two of the vulnerabilities were found in Azure Functions and Azure Digital Twins and could be exploited without requiring any authentication, allowing a threat actor to seize control of a server without even having an Azure account.
Three of the flaws were rated as “Important” in severity, while one was rated as “Low.”
However, all the weaknesses could be leveraged to manipulate a server to mount further attacks against a susceptible target.
According to Orca researcher Lidor Ben Shitrit, the impact of these SSRF vulnerabilities on Microsoft Azure Services could have been significant if left unpatched.
An attacker could have used these vulnerabilities to gain access to internal resources, such as the hosts IMDS, and obtain sensitive information, including tokens, hostname, security group, MAC address, and user data.
This information could have been used to move to other hosts or enable remote code execution.
Thankfully, due to the swift action taken by Microsoft, these vulnerabilities were mitigated before they could cause any major damage.
Some experts suggest that the use of stolen employee tokens, which were likely obtained via an API, highlights the importance of strong authentication measures to protect against unauthorized access.
Additionally, the incident has similarities with a recent security incident disclosed by authentication firm Okta, which also had its code repositories accessed and copied.
It is possible that the same group or individual may be responsible for both hacks. The investigation is still ongoing and more information may become available in the future.
When it comes to keeping your cloud infrastructure secure, there are a few key steps you can take to minimize the risk of SSRF vulnerabilities:
First and foremost, it is important to stay up to date on the latest security patches and updates for all of your cloud services. This includes not only the services provided by your cloud provider but also any third-party applications or tools that you may be using.
Related Article: What Is Cloud Penetration Testing? (& When Do You Need It?)
Additionally, implementing a robust security monitoring and incident response plan can help you quickly detect and respond to any potential SSRF attacks.
This includes monitoring for unusual network traffic, as well as implementing tools and technologies to detect and block malicious activity.
Another important step is to implement a least privilege access model, which ensures that users and applications only have the access they need to perform their intended functions. This can help to prevent malicious actors from leveraging SSRF vulnerabilities to gain access to sensitive internal resources.
Additionally, implementing network segmentation can also help to limit the scope of any potential SSRF attacks, by isolating critical systems and data from less sensitive systems.
It’s also worth noting that many cloud providers, including Microsoft, offer additional security services and features to help protect against SSRF attacks.
For example, Azure offers a number of security services, including Azure Security Center, Azure Policy, and Azure Active Directory. This can be used to help monitor and protect your cloud infrastructure.
By taking a holistic approach to cloud security, you can better protect your organization against SSRF attacks, as well as a wide range of other cyber threats.
Related Articles:
Dalibor is a Senior Security Engineer with experience in penetration testing having recently served over 8 years in the Ministry of Internal Affairs in the Department of Cyber Security in Serbia.
Recent Attacks
Popular Articles
Ransomware Attacks
Preventing Attacks