Microsoft has patched vulnerabilities in four different Azure cloud services. The security flaws could enable attackers to perform a server-side request forgery (SSRF) attack to gain unauthorized access to cloud resources.
The security vulnerabilities were first discovered by researchers from Orca Security between mid-October and mid-December last year. The flaws affect various Microsoft cloud services such as Azure Functions, Azure API Management, Azure Digital Twins, and Azure Machine Learning.
Microsoft introduced new security features to block SSRF attacks back in 2020. However, the researchers exploited the flaws in Azure Functions and Azure Digital Twins to gain unauthorized access to sensitive information.
A Server-side request forgery (SSRF) attack allows a threat actor to send malicious requests to another system via a vulnerable web server. It lets an attacker target a web application to read or update internal resources and send sensitive data to external sources. This attack could be harmful because it provides access to the Cloud Instance Metadata Service (IMDS) of the host in cloud environments.
“The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports, find new services, endpoints, and files – providing valuable information on possibly vulnerable servers and services to exploit for initial entry and the location of potential information to target,” Orca researcher Lidor Ben Shitrit explained.
Protection and mitigation strategies to block SSRF attacks
Fortunately, the researchers couldn’t exploit the SSRF vulnerabilities in Azure to reach IMDS endpoints. It’s because Microsoft already has the necessary mitigations in place to reduce the potential impact of SSRF attacks in cloud environments. These include Digital Twins using specific URL prefixes and requiring an Identity Header for the App Service and Azure Functions.
Orca Security proactively reported the security vulnerabilities to Microsoft in October 2022. The company quickly released security updates to patch them individually within a couple of weeks.
The researchers have not found any evidence that the flaws were actively exploited in the wild. However, IT admins are advised to validate all input, ensure that servers are configured to only allow inbound and outbound traffic as well as follow the principle of least privilege (PoLP).