Vulnerability Management, Threat Management

Four Azure services vulnerable to server-side request forgery flaws 

Pictured: The Microsoft logo is seen Feb. 26, 2019, outside its booth at the GSMA Mobile World Congress 2019 in Barcelona. Researchers at Orca Security found four Microsoft Azure services that were vulnerable to Server-Side Request Forgery (SSRF), a web security flaw that remains prevalent and poses an ongoing threat to cloud environments.   (Photo...

Researchers found four Microsoft Azure services that were vulnerable to Server-Side Request Forgery (SSRF), a web security flaw that remains prevalent and poses an ongoing threat to cloud environments.  

The vulnerable services include Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digitals, according to a blog post Tuesday by Orca Security. Among them, two vulnerabilities involving Azure Functions and Azure Digital Twins did not require authentication, meaning that an attacker could exploit them even without an Azure account.  

“The most notable aspect of these discoveries is arguably the number of SSRF vulnerabilities we were able to find with only minimal effort (including another SSRF vulnerability we found last year in Oracle Cloud Services), indicating just how prevalent they are and the risk they pose in cloud environments,” Lidor Ben Shitrit, cloud security researcher at Orca wrote in the blog post.  

Indeed, SSRF attacks can be particularly dangerous since a successful execution can result in an attacker accessing or modifying internal resources as well as submitting data to external sources. 

In addition, if attackers are able to access the host’s IMDS — their cloud instance metadata service — they could get detailed information on instances, including hostname, security group, MAC address, and user data, which would potentially allow attackers to retrieve tokens, move to another host, and execute code, said Dror Zalman, director of cloud security research at Orca.  

In the 2019 Capital One data breach, the hacker started by exploiting SSRF vulnerabilities to gain access to data that affected approximately 100 million individuals in the United States and six million others in Canada.  

In the case of Azure services, Shitrit said all four SSRF vulnerabilities fall under Non-Blind SSRF (or Full SSRF) category, which means that attackers can manipulate a server to make a request and receive the full response from the server. In this way, attackers are able to gather more information about the target system and potentially launch further attacks.  

Three security flaws in Azure Digital Twins, Azure Functions App, and Azure API Management were rated as “important,” and the vulnerability in Azure Machine Learning was rated as “low.”  

In a statement sent to SC Media, Microsoft said it took action to resolve all four vulnerabilities as soon as they were reported and determined them to be low risk since they do not allow access to sensitive information or Azure backend services. 

“The impact of SSRF vulnerabilities can vary depending on the environment but can enable access to sensitive internal endpoints or port scanning. Microsoft has mechanisms in place to prevent privileged abuse, such as the unauthorized retrieval of tokens, lateral movement, or code execution/ As such, these four vulnerabilities did not result in any material impact to Azure services or infrastructure,” the company claimed in an unsigned note posted by the Microsoft Security response Center.  

Orca Security applauded Microsoft in its blog post for implementing several measures to mitigate the impact of SSRF attacks in 2020, including the introduction of requirements for accessing the IMDS endpoint and Identity Header for the App Service and Azure Functions.  

“By implementing these measures, Microsoft has significantly reduced the potential damage of SSRF attacks on its Azure platform,” Shitrit wrote in the blog post.  

Besides Microsoft’s efforts in mitigation, Shitrit added that organizations should also take steps to protect themselves from SSRF attacks.  

“The key is to ensure that all input is properly validated, and that servers are configured to only allow necessary inbound and outbound traffic. In addition, by keeping your cloud environment secure — for instance, by enforcing proper cloud security hygiene, adhering to the principle of least privilege, patching vulnerabilities, and avoiding misconfigurations — you can further limit the damage an attacker can achieve,” Shitrit said. 

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.