Researchers at the security firm Orca discovered that four different Microsoft Azure services were vulnerable to server-side request forgery (SSRF) attacks. Threat actors could have exploited the flaws to gain unauthorized access to cloud resources.
Vulnerable services included Azure API Management, Azure Functions, Azure Machine Learning and Azure Digital Twins.
The researchers successfully exploited two vulnerabilities without requiring any authentication on the Azure Functions and Azure Digital Twins services. The attacks allowed the experts to send requests in the name of the server without even having an Azure account.
“The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports, find new services, endpoints, and files – providing valuable information on possibly vulnerable servers and services to exploit for initial entry and the location of potential information to target.” reads the analysis published by Orca.
The experts pointed out that SSRF vulnerabilities can allow attackers with access to the host’s IMDS (Cloud Instance Metadata Service), to retrieve detailed info on instances (i.e. hostname, security group, MAC address and user-data) and potentially retrieve tokens, perform lateral movement and execute arbitrary code.
Orca researchers did not manage to reach any IMDS endpoints due to various SSRF mitigations implemented by Microsoft.
Below is the list of flaws discovered by the researchers:
Affected Service | Severity | Unauthenticated | Date reported | Status | |
SSRF #1 | Azure Digital Twins | Important | Yes | October 8, 2022 | Fixed (October 17, 2022) |
SSRF #2 | Azure Functions App | Important | Yes | November 12, 2022 | Fixed (December 9, 2022) |
SSRF #3 | Azure API Management | Important | No | November 12, 2022 | Fixed (November 16, 2022) |
SSRF #4 | Azure Machine Learning | Low | No | December 2, 2022 | Fixed(December 20, 2022) |
Organizations can mitigate SSRF attacks by validating all input and ensuring that servers are configured to only allow necessary inbound and outbound traffic. The researchers recommend adopting the principle of least privilege (PoLP) and keeping their system up to date and avoiding misconfiguration.
“After flagging the vulnerabilities to Microsoft, they were swiftly mitigated.” concludes the report. “The most notable aspect of these discoveries is arguably the number of SSRF vulnerabilities we were able to find with only minimal effort (including another SSRF vulnerability we found last year in Oracle Cloud Services), indicating just how prevalent they are and the risk they pose in cloud environments.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Microsoft Azure services)
[adrotate banner=”5″]
[adrotate banner=”13″]
Threat actors accessed more than 19,000 online accounts on a California state platform for welfare…
ThreatFabric researchers identified a new Android malware called Brokewell, which implements a wide range of…
A critical vulnerability in the WordPress Automatic plugin is being exploited to inject backdoors and…
As cryptocurrencies have grown in popularity, there has also been growing concern about cybercrime involvement…
Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals…
Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…
This website uses cookies.