A critical security vulnerability in Microsoft Azure’s API Connection architecture has been discovered that could allow attackers to completely compromise resources across different tenant environments, potentially exposing sensitive data stored in Key Vaults, Azure SQL databases, and third-party services like Jira and Salesforce.
The vulnerability, which earned a security researcher a $40,000 bounty from Microsoft and a presentation slot at Black Hat, exploited Azure’s shared API Management (APIM) instance where all API Connections are created globally.
This architectural flaw enabled unprecedented cross-tenant access, allowing malicious actors to hijack any API Connection worldwide with full backend privileges.
Technical Exploitation Details
The attack leveraged an undocumented DynamicInvoke endpoint that allows API Connections to execute arbitrary actions through Azure Resource Manager (ARM).
Unlike the restricted /extensions/proxy/[Action] endpoint, DynamicInvoke accepts custom paths, methods, headers, and request bodies, providing a powerful attack vector.
The vulnerability centers on how ARM processes requests to the shared APIM instance.
When receiving a DynamicInvoke request, ARM constructs calls using the format: /apim/[ConnectorType]/[ConnectionId]/[Action-Endpoint] with super-privileged ARM tokens that have access to all API Connections globally.
Attackers could exploit this by creating custom Logic App connectors with path traversal vulnerabilities.
By supplying malicious path parameters like ../../../../[VictimConnectorType]/[VictimConnectionID]/[action], the request path would normalize to target victim connections directly, bypassing all access controls.
The severity of this vulnerability cannot be overstated. Successful exploitation grants attackers administrator-level access to compromised resources, including:
- Azure Key Vaults: Complete access to stored secrets, certificates, and cryptographic keys
- Azure SQL Databases: Full database access and potential data exfiltration
- Third-party integrations: Compromise of connected services like Slack, Salesforce, and Jira
- Any externally connected service accessible through API Connections
The only prerequisite for exploitation was having Contributor-level access to an API Connection within any Azure tenant, making this a significant privilege escalation vulnerability.
Microsoft responded rapidly to the disclosure, confirming the vulnerability within three days of the April 7th submission and implementing mitigations within one week, as per a report by Binary Security.
The company deployed a blacklist system that blocks ../ and certain URL-encoded variants in path parameters.
However, the researcher noted that this fix might not be comprehensive, suggesting that bypasses could still be possible through alternative path normalization techniques or direct API Connection path manipulation.
The researcher encourages further security testing, noting that successful bypasses should yield similar bounty rewards.
This discovery highlights the critical importance of secure architecture design in cloud environments where multi-tenant isolation is paramount for customer trust and data security.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
