Researchers found four Microsoft Azure services to be vulnerable to server-side request forgery (SSRF) attacks, which could have been used to gain unauthorized access to cloud resources.
Researchers at cybersecurity firm Orca Security found these vulnerabilities between October 8 and December 2, 2022, in Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins. Microsoft has since addressed these vulnerabilities.
“SSRF attacks can be particularly dangerous since a successful execution can result in an attacker accessing or modifying internal resources as well as submitting data to external sources,” wrote Orca Security threat researcher Lidor Ben Shitrit.
Microsoft Azure bugs
The Azure SSRF vulnerabilities could have allowed an attacker to scan local ports, find new services, endpoints, and sensitive files, providing valuable information for initial entry and the location of sensitive information to target.
Two of the vulnerabilities, affecting Azure Functions and Azure Digital Twins, could have been exploited without requiring any authentication, enabling a threat actor to take control of a server without even having an Azure account.
“As soon as we discovered the vulnerabilities, we reached out to the Microsoft Security Response Center (MSRC), who promptly fixed the reported issues,” Ben Shitrit wrote in the threat assessment.
“Microsoft has confirmed that the vulnerabilities have been remediated, which is why we are now disclosing the details of the vulnerabilities we found.”
The severity of the Azure bugs
Server-side request forgery (SSRF) attacks can be incredibly dangerous for networks as they allow malicious actors to access internal resources, move throughout the network, and potentially breach otherwise unreachable systems to extract valuable data.
Of the listed vulnerabilities, three are considered to be of important severity while the SSRF flaw impacting Azure Machine Learning is considered to be of low severity. These weaknesses can all be used to manipulate servers and launch further attacks on vulnerable targets.
“The most notable aspect of these discoveries is arguably the number of SSRF vulnerabilities we were able to find with only minimal effort (including another SSRF vulnerability we found last year in Oracle Cloud Services), indicating just how prevalent they are and the risk they pose in cloud environments,” Ben Shitrit noted in the report.
To protect against SSRF attacks, organizations should validate all input, ensure servers are configured to only allow necessary inbound and outbound traffic, avoid misconfigurations, and follow the principle of least privilege (PoLP).
SSRF attacks and possible damages
Server-Side Request Forgery (SSRF) is a type of cyber-attack in which an attacker exploits server functionality to access or modify resources, according to an explainer by cybersecurity company Imperva.
The attacker targets an application that supports data imports from URLs or allows them to read data from URLs, manipulating the URLs through techniques such as replacement or path traversal.
“SSRF attacks commonly exploit a trust relationship, within the server itself (known as a server SSRF attack) or between the server and other back-end systems (known as a back-end SSRF attack),” the report noted.
The attacker supplies a URL to the server’s code, which then reads or submits data to it. This allows the attacker to gain access to internal data and services that were not meant to be exposed, such as HTTP-enabled databases and server configuration data.
Even for services that are not directly accessible through the public internet, an attacker can select a target URL and use it to read the data. Once the attacker has manipulated the request, the server receives it and attempts to read data from the altered URL.
This vulnerability can have serious consequences as it enables the attacker to access sensitive information and potentially move deeper into the network.