A critical vulnerability was recently discovered in Azure API Management (APIM) that allowed users with Reader-level access to escalate their privileges to the equivalent of Contributor-level access.
This security flaw enabled users to read, modify, and even delete configurations of the APIM resource through the Direct Management API.
According to Binary Security researchers, the vulnerability stems from a flaw in the Azure Resource Manager (ARM) API, which is used when reading or deploying an APIM resource.
While Microsoft had previously added restrictions to prevent Reader-level users from accessing sensitive information in newer API versions, the bug bypassed these restrictions.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
To exploit the vulnerability, an attacker with Reader access could simply call a specific ARM API endpoint to obtain the keys of the default admin user.
These keys could then be used to generate SharedAccessSignatures, granting the attacker full access to perform any management operation on the APIM resource via the Direct Management API.
The vulnerability had a significant impact, as it allowed unauthorized users to gain elevated privileges and potentially compromise the security of the APIM resource and its associated APIs.
Attackers could list subscription keys, identity provider keys, and named value secrets, potentially gaining further access to Azure, Entra ID, and other integrated systems, as well as reads the report.
Microsoft addressed the vulnerability within a month of being notified by restricting access to the affected ARM API for users with Reader privileges. The fix has been applied retroactively to all instances of APIM.
While the vulnerability has been patched, it highlights the importance of implementing defense in depth measures to protect critical Azure resources.
Experts recommend making critical resources private and only accessible from their own virtual network (VNET) and, depending on the deployment, the CI/CD runners.
As more vulnerabilities in Azure resources are likely to be discovered in the future, organizations should remain vigilant and proactively implement security best practices to mitigate potential risks.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar