Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Azure Services SSRF Vulnerabilities Exposed Internal Endpoints, Sensitive Data

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Cloud security company Orca has published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services, including two bugs that could have been exploited without authentication.

SSRF flaws, Orca explains, typically allow attackers to access the host’s IMDS (Cloud Instance Metadata Service), enabling them to view information such as hostnames, MAC addresses, and security groups.

Furthermore, such security defects could be exploited to retrieve tokens, execute code remotely, and move to another host.

Impacting Azure Functions and Azure Digital Twins, the two unauthenticated vulnerabilities could be exploited without an Azure account to send requests on behalf of the server.

The remaining two security issues, which were identified in Azure API Management and Azure Machine Learning, require authentication for successful exploitation.

All four vulnerabilities are non-blind SSRF (full SSRF) issues, allowing an attacker to fetch any request and retrieve the output, Orca’s researchers say. Such flaws can typically be exploited via XXE (XML external entity), SVG files, a proxy, PDF rendering, vulnerable query string in the URL, and more.

“The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports, find new services, endpoints, and sensitive files – providing valuable information on possibly vulnerable servers and services to exploit for initial entry and the location of sensitive information to target,” Orca says.

The issues could be exploited to request any URL by abusing the server, but various mitigations that Microsoft has implemented prevented the researchers from exploiting the newly identified bugs to reach IMDS endpoints.

The unauthenticated flaw in the Azure DigitalTwins Explorer service was caused by a bug in the user input validation following a request, while the issue impacting the Azure Functions service resided in a NodeJS based function.

The authenticated vulnerability in Azure API Management allowed the researchers to enumerate all open ports on the vulnerable server, review all of them, and retrieve more sensitive data, including Git client version, the empty refs list, and the git-scm capabilities.

The Azure Machine Learning service bug, Orca says, allowed the researchers to retrieve any endpoint.

Orca reported the vulnerabilities to Microsoft between October and December 2022. Patches were released shortly after each report, with the last vulnerability addressed on December 20.

UPDATE: Microsoft has published its own blog post, clarifying that the vulnerabilities were “low risk as they do not allow access to sensitive information or Azure backend services.”

Related: Microsoft Patches Vulnerability Allowing Full Access to Azure Service Fabric Clusters

Related: Azure Service Fabric Vulnerability Can Lead to Cluster Takeover

Related: Microsoft Azure Vulnerability Allowed Code Execution, Data Theft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.