Dive Brief:
- Researchers found four instances where Microsoft Azure services were vulnerable to server-side request forgery attacks, according to a report released Tuesday from Orca Security. The vulnerable services included Azure API Management, Azure Functions, Azure Machine Learning and Azure Digital Twins.
- In two instances involving Azure Functions and Azure Digital Twins, the vulnerabilities did not require authentication, so an attacker could exploit them without an Azure account, according to Lidor Ben Shitrit, cloud security researcher at Orca, and Dror Zalman, director of cloud security research at Orca.
- Microsoft was notified of the research and has since confirmed it remediated the vulnerabilities.
Dive Insight:
SSRF attacks are considered potentially dangerous because an attacker can abuse the functionality of a server to read or update internal resources, according to the researchers.
If an attacker can access the host’s IMDS — cloud instance metadata service — they could access detailed information on instances, including hostname, security group, MAC address and user data.
This type of information would allow an attacker to potentially retrieve tokens, move to another host or enable remote code execution.
“The most notable aspect of these discoveries is arguably the number of SSRF vulnerabilities we were able to find with only minimal effort, indicating just how prevalent they are and the risk they pose in cloud environments,” the researchers said via email.
Orca researchers noted previous research involving an SSRF vulnerability in Oracle Cloud Services.
Microsoft in its own blog post said these particular vulnerabilities are considered low risk, because they do not allow access to sensitive information or Azure backend services. Orca characterized three of them as “important.”
Microsoft said it conducted an investigation and determined the vulnerabilities could not be used to access metadata, connect to internal services, obtain cross tenant access or access unauthorized data.
Microsoft said it has implemented additional input validation for the vulnerable URLs. The company said no customer action is needed for the four impacted Azure services.
