SSRF vulnerabilities in four Microsoft Azure services could be exploited to gain unauthorized access to cloud resources.

Researchers at the security firm Orca discovered that four different Microsoft Azure services were vulnerable to server-side request forgery (SSRF) attacks. Threat actors could have exploited the flaws to gain unauthorized access to cloud resources.

Vulnerable services included Azure API Management, Azure Functions, Azure Machine Learning and Azure Digital Twins.

The researchers successfully exploited two vulnerabilities without requiring any authentication on the Azure Functions and Azure Digital Twins services. The attacks allowed the experts to send requests in the name of the server without even having an Azure account.

“The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports, find new services, endpoints, and files – providing valuable information on possibly vulnerable servers and services to exploit for initial entry and the location of potential information to target.” reads the analysis published by Orca.

The experts pointed out that SSRF vulnerabilities can allow attackers with access to the host’s IMDS (Cloud Instance Metadata Service), to retrieve detailed info on instances (i.e. hostname, security group, MAC address and user-data) and potentially retrieve tokens, perform lateral movement and execute arbitrary code.

Orca researchers did not manage to reach any IMDS endpoints due to various SSRF mitigations implemented by Microsoft.

Below is the list of flaws discovered by the researchers:

Affected ServiceSeverityUnauthenticatedDate reportedStatusSSRF #1Azure Digital TwinsImportantYesOctober 8, 2022Fixed (October 17, 2022)SSRF #2Azure Functions AppImportantYesNovember 12, 2022Fixed (December 9, 2022)SSRF #3Azure API ManagementImportantNoNovember 12, 2022Fixed (November 16, 2022)SSRF #4Azure Machine LearningLowNoDecember 2, 2022Fixed(December 20, 2022)SSRF #1 – Unauthenticated SSRF Vulnerability on Azure Digital Twins Explorer allows any unauthenticated user to request any URL by abusing the server.

SSRF #2 – Unauthenticated SSRF Vulnerability on Azure Functions allows any unauthenticated user to request any URL abusing the server.

SSRF #3 – Authenticated SSRF Vulnerability on Azure API Management Service allows any authenticated user to request any URL abusing the server.

SSRF #4 – Authenticated SSRF Vulnerability on Azure Machine Learning Service allows any authenticated user to request any URL abusing the server.
Organizations can mitigate SSRF attacks by validating all input and ensuring that servers are configured to only allow necessary inbound and outbound traffic. The researchers recommend adopting the principle of least privilege (PoLP) and keeping their system up to date and avoiding misconfiguration.

“After flagging the vulnerabilities to Microsoft, they were swiftly mitigated.” concludes the report. “The most notable aspect of these discoveries is arguably the number of SSRF vulnerabilities we were able to find with only minimal effort (including another SSRF vulnerability we found last year in Oracle Cloud Services), indicating just how prevalent they are and the risk they pose in cloud environments.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Azure services)

[adrotate banner=”5″] [adrotate banner=”13″]

The post Experts found SSRF flaws in four different Microsoft Azure services appeared first on Security Affairs.