Security researchers at Binary Security have uncovered critical vulnerabilities in Microsoft’s Azure API Management (APIM) service that could allow attackers with basic Reader permissions to gain complete administrative control of the service.
The most severe vulnerability involves exploiting legacy API versions to obtain administrative access tokens.
An attacker with Reader role permissions can retrieve an SSO token that grants full administrative privileges to the APIM Management API, effectively bypassing all intended access controls.
The researchers discovered several vulnerabilities that could expose sensitive information, including subscription keys, OAuth credentials, and integration keys.
Strategies to Defend Websites & APIs from Malware Attack -> Free Webinar
Attackers could access these supposedly restricted resources by leveraging older versions of the Azure Resource Manager (ARM) API.
The most concerning finding involves the ability to generate administrative SSO tokens through a deprecated API endpoint.
This token can authenticate against the Management API with full privileges, allowing attackers to deploy new APIs, modify existing ones, and access all sensitive information.
The vulnerabilities were initially reported to Microsoft in February 2023. While Microsoft has addressed some issues, many of the legacy API vulnerabilities remain exploitable.
The company plans to disable legacy APIs by June 2024, though new APIM deployments still enable these vulnerable APIs by default.
Security Recommendations
Binary Security recommends several mitigation strategies:
- Restrict network-level access to management interfaces
- Implement VNETs, jump hosts, and dedicated CI/CD IP addresses
- Disable legacy APIs in APIM services immediately
- Configure the Management API Settings to prevent use of older API versions
These vulnerabilities pose significant risks to organizations using Azure API Management, as they could allow unauthorized users to:
- Deploy or modify APIs
- Access sensitive configuration data
- Read subscription keys and credentials
- Take full control of the APIM service
Microsoft’s response to these findings has been mixed, with some fixes implemented but others remaining pending.
The security researchers expressed disappointment in Microsoft’s handling of the vulnerabilities, noting that changes were made without proper communication and no bounties were issued despite the severity of the findings.
Organizations using Azure API Management are strongly advised to review their security configurations and implement the recommended mitigations to protect against the potential exploitation of these vulnerabilities.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!