Orca recently conducted an investigation into several Microsoft Azure services and discovered four instances where various services were uncovered to be susceptible to a Server Side Request Forgery (SSRF) attack.
There are two certain weaknesses present in the Azure platform that is particularly concerning because they do not require any form of authentication to access or exploit.
This means that an attacker does not need to have a valid account or login credentials for the Azure platform in order to take advantage of these vulnerabilities.
This lack of authentication makes it much easier for an attacker to gain unauthorized access or perform malicious actions and increases the likelihood of a successful attack.
The use of the word “concerning” emphasizes the severity of this security concern and highlights the need for immediate action to address these vulnerabilities.
Vulnerable Azure Services
The security vulnerabilities discovered by Orca between October 8, 2022, and December 2, 2022, are in the following services:-
- Azure API Management
- Azure Functions
- Azure Machine Learning
- Azure Digital Twins
After discovering these vulnerabilities Orca promptly reported Microsoft Security Response Center (MSRC) about them. As a result, MSRC fixed the problems quickly and Microsoft confirmed that the vulnerabilities were no longer present.
Now, Orca is making the information about the vulnerabilities public, as they have been resolved. Below we have mentioned the general summary and the sequence of events of the vulnerabilities that were discovered in four Azure services.
Mitigations
Thankfully, the researchers’ attempts to exploit the SSRF vulnerabilities found in Azure were foiled, as Microsoft had already established various SSRF countermeasures within their cloud ecosystem, preventing access to IMDS endpoints.
In order to neutralize potential threats, organizations are urged to follow the actions that we have mentioned below:-
- Verify all input.
- Establish that servers are designed to only permit necessary inbound and outbound communication.
- Prevent misconfigurations.
- Strictly follow the principle of least privilege (PoLP).
- Keep the cloud environment secure.
Network Security Checklist – Download Free E-Book