Experts found SSRF flaws in four different Microsoft Azure services

SSRF vulnerabilities in four Microsoft Azure services could be exploited to gain unauthorized access to cloud resources.

Researchers at the security firm Orca discovered that four different Microsoft Azure services were vulnerable to server-side request forgery (SSRF) attacks. Threat actors could have exploited the flaws to gain unauthorized access to cloud resources.

Vulnerable services included Azure API Management, Azure Functions, Azure Machine Learning and Azure Digital Twins.

The researchers successfully exploited two vulnerabilities without requiring any authentication on the Azure Functions and Azure Digital Twins services. The attacks allowed the experts to send requests in the name of the server without even having an Azure account.

“The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports, find new services, endpoints, and files – providing valuable information on possibly vulnerable servers and services to exploit for initial entry and the location of potential information to target.” reads the analysis published by Orca.

The experts pointed out that SSRF vulnerabilities can allow attackers with access to the host’s IMDS (Cloud Instance Metadata Service), to retrieve detailed info on instances (i.e. hostname, security group, MAC address and user-data) and potentially retrieve tokens, perform lateral movement and execute arbitrary code.

Orca researchers did not manage to reach any IMDS endpoints due to various SSRF mitigations implemented by Microsoft.

Below is the list of flaws discovered by the researchers:

	Affected Service	Severity	Unauthenticated	Date reported	Status
SSRF #1	Azure Digital Twins	Important	Yes	October 8, 2022	Fixed (October 17, 2022)
SSRF #2	Azure Functions App	Important	Yes	November 12, 2022	Fixed (December 9, 2022)
SSRF #3	Azure API Management	Important	No	November 12, 2022	Fixed (November 16, 2022)
SSRF #4	Azure Machine Learning	Low	No	December 2, 2022	Fixed(December 20, 2022)

• SSRF #1 – Unauthenticated SSRF Vulnerability on Azure Digital Twins Explorer allows any unauthenticated user to request any URL by abusing the server.
• SSRF #2 – Unauthenticated SSRF Vulnerability on Azure Functions allows any unauthenticated user to request any URL abusing the server.
• SSRF #3 – Authenticated SSRF Vulnerability on Azure API Management Service allows any authenticated user to request any URL abusing the server.
• SSRF #4 – Authenticated SSRF Vulnerability on Azure Machine Learning Service allows any authenticated user to request any URL abusing the server.

Organizations can mitigate SSRF attacks by validating all input and ensuring that servers are configured to only allow necessary inbound and outbound traffic. The researchers recommend adopting the principle of least privilege (PoLP) and keeping their system up to date and avoiding misconfiguration.

“After flagging the vulnerabilities to Microsoft, they were swiftly mitigated.” concludes the report. “The most notable aspect of these discoveries is arguably the number of SSRF vulnerabilities we were able to find with only minimal effort (including another SSRF vulnerability we found last year in Oracle Cloud Services), indicating just how prevalent they are and the risk they pose in cloud environments.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Azure services)

[adrotate banner=”5″]

[adrotate banner=”13″]