Four different Microsoft Azure services have been found vulnerable to a Server Side Request Forgery (SSRF) attack. This attack can be used to gain unauthorized access to cloud resources.
Security issues discovered by Orca between October 8, 2022 and December 2, 2022 in Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins are being addressed by Microsoft.
“A discovered vulnerability in Azure SSRF allowed attackers to scan local ports and find new services, endpoints, and sensitive files. It provides valuable information about and is exploited for first entry and targeted sensitive information locations,” the Orca researchers said. Ben Shitrit by Lidor said in a report shared with The Hacker News:
Two vulnerabilities affecting Azure Functions and Azure Digital Twins could be exploited without requiring authentication, allowing an attacker to take control of a server without having an Azure account in the first place. increase.
SSRF attacks allow malicious intruders to read or update internal resources or, worse, pivot to other parts of the network or compromise otherwise unreachable systems to extract valuable data. can have serious consequences.
Three of the defects are rated ‘Important’ severity, and the SSRF defect impacting Azure Machine Learning is rated ‘Low’ severity. All weaknesses can be used to manipulate the server and launch further attacks against susceptible targets.
Here’s an overview of the four vulnerabilities:
- Azure Digital Twins Explorer’s unauthenticated SSRF via a flaw in the /proxy/blob endpoint can be exploited to get responses from services suffixed with “blob.core.windows”. I have[.]Net”
- Unauthenticated SSRF on Azure Functions that can be exploited to enumerate local ports and access internal endpoints
- SSRF authenticated with the Azure API Management service that can be abused to list internal ports. This includes ports associated with source code control services that can be used to access sensitive files.
- SSRF authenticated with Azure Machine Learning service via /datacall/streamcontent endpoint can be abused to fetch content from arbitrary endpoints
To mitigate such threats, organizations validate all input, ensure servers are configured to allow only necessary inbound and outbound traffic, avoid misconfigurations, and use least privilege (PoLP) principles are recommended.
“Arguably the most notable aspect of these findings is the number of SSRF vulnerabilities we were able to find with minimal effort, how prevalent they are, and the risks they pose in cloud environments. ,” said Ben Shitrit.
