mobile-logo

Previous

< Slack GitHub Account Hack

Security Insights / Data Breaches / Microsoft Azure SSRF Vulnerabilities

Microsoft Azure SSRF Vulnerabilities

 

Microsoft Azure Services Vulnerable To SSRF

 

Learn about PurpleSec’s fully managed vulnerability management services.

Author: Dalibor Gašić/ Last Updated: 01/22/2022

Reviewed By: Michael Swanagan, CISSP, CISA, CISM

View OurEditorial Process

Table Of Contents

Summary Of The Attack

 

  • On January 17, 2023, four vulnerabilities in Microsoft Azure services were vulnerable to server-side request forgery (SSRF) attacks.
  • Services included Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.
  • According to Orca researcher Lidor Ben Shitrit, the impact of these SSRF vulnerabilities on Microsoft Azure Services could have been significant if left unpatched.
  • Due to the swift action taken by Microsoft, these vulnerabilities were mitigated before they could cause any major damage.

 

 

Microsoft Azure SSRF Vulnerability: What Happened?

 

On January 17, 2023, Orca Security reported that they had discovered four vulnerabilities in Microsoft Azure services that were vulnerable to server-side request forgery (SSRF) attacks.

 

The affected services included Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.

 

Microsoft was promptly notified of the vulnerabilities and quickly took action to address and remediate them. The vulnerabilities were determined to be low risk, as they did not allow access to sensitive information or Azure backend services.

 

No customer action was required for the impacted services.

How The Microsft Azure SSRF Vulnerability Works

 

A Server-side request forgery (SSRF) attack is a type of attack that allows an attacker to manipulate a server to execute arbitrary HTTP requests on behalf of the server.

 

This can have serious consequences as it enables a malicious actor to read or update internal resources. Threat actors are then able to pivot to other parts of the network and breach otherwise unreachable systems to extract valuable data.

 

The four Azure Services with SSRF vulnerabilities are listed below:

 

  1. On October 8, 2022, a weakness in the hosted Digital Twins Explorer was uncovered that could have allowed for SSRF attacks. This vulnerability was quickly addressed and a fix was released on October 17, 2022. To ensure the security of the service, Azure Digital Twins has implemented measures to prevent access to internal Azure services through IDMS and wire server.
  2. On November 12, 2022, a weakness was exposed in the Azure Functions Service. This SSRF vulnerability could have enabled unauthenticated users to craft specific URLs, which in turn could have given attackers the ability to gather information about local ports. Microsoft released a solution on December 9, 2022.
  3. A weakness in Azure API Management Service was exposed also on November 12, 2022, allowing a malicious actor the potential to exploit loopback URLs and abuse the server. Swift action was taken by the APIM engineering team, releasing a fix to block access to local ports and resources on the VM by November 16, 2022.
  4. The machine learning service was hit with an SSRF vulnerability on December 2, 2022, however, it was deemed a low risk as it failed to expose any confidential information or tokens and did not grant access to sensitive internal endpoints. The vulnerability was patched on December 20, 2022.

 

Two of the vulnerabilities were found in Azure Functions and Azure Digital Twins and could be exploited without requiring any authentication, allowing a threat actor to seize control of a server without even having an Azure account.

 

Three of the flaws were rated as “Important” in severity, while one was rated as “Low.”

 

However, all the weaknesses could be leveraged to manipulate a server to mount further attacks against a susceptible target.

enterprise vulnerability management services

What Was The Impact?

 

According to Orca researcher Lidor Ben Shitrit, the impact of these SSRF vulnerabilities on Microsoft Azure Services could have been significant if left unpatched.

 

An attacker could have used these vulnerabilities to gain access to internal resources, such as the hosts IMDS, and obtain sensitive information, including tokens, hostname, security group, MAC address, and user data.

 

This information could have been used to move to other hosts or enable remote code execution.

 

Thankfully, due to the swift action taken by Microsoft, these vulnerabilities were mitigated before they could cause any major damage.

 

Some experts suggest that the use of stolen employee tokens, which were likely obtained via an API, highlights the importance of strong authentication measures to protect against unauthorized access.

 

Additionally, the incident has similarities with a recent security incident disclosed by authentication firm Okta, which also had its code repositories accessed and copied.

 

It is possible that the same group or individual may be responsible for both hacks. The investigation is still ongoing and more information may become available in the future.

PurpleSec risk management platform

How To Keep Your Azure Environment Secure

 

When it comes to keeping your cloud infrastructure secure, there are a few key steps you can take to minimize the risk of SSRF vulnerabilities:

 

  • Patch Cloud Vulnerabilities
  • Continuous Monitoring
  • Principal Of Least Privilege
  • Network Segmentation
  • CSP Built In Security Features

 

First and foremost, it is important to stay up to date on the latest security patches and updates for all of your cloud services. This includes not only the services provided by your cloud provider but also any third-party applications or tools that you may be using.

 

Related Article: What Is Cloud Penetration Testing? (& When Do You Need It?)

 

Additionally, implementing a robust security monitoring and incident response plan can help you quickly detect and respond to any potential SSRF attacks.

 

This includes monitoring for unusual network traffic, as well as implementing tools and technologies to detect and block malicious activity.

 

Another important step is to implement a least privilege access model, which ensures that users and applications only have the access they need to perform their intended functions. This can help to prevent malicious actors from leveraging SSRF vulnerabilities to gain access to sensitive internal resources.

 

Additionally, implementing network segmentation can also help to limit the scope of any potential SSRF attacks, by isolating critical systems and data from less sensitive systems.

 

It’s also worth noting that many cloud providers, including Microsoft, offer additional security services and features to help protect against SSRF attacks.

 

For example, Azure offers a number of security services, including Azure Security Center, Azure Policy, and Azure Active Directory. This can be used to help monitor and protect your cloud infrastructure.

 

By taking a holistic approach to cloud security, you can better protect your organization against SSRF attacks, as well as a wide range of other cyber threats.

 

Related Articles:

 

enterprise penetration testing services

Dalibor Gašić - cyber security expert

Dalibor Gašić

Dalibor is a Senior Security Engineer with experience in penetration testing having recently served over 8 years in the Ministry of Internal Affairs in the Department of Cyber Security in Serbia.

Previous

Slack GitHub Account Hack

Next

Top Vulnerabilities Of 2022

All Topics

More Security Insights