Spain
Portugal
Orca provided information about 4 server-side request forgery attacks (SSRF) in Microsoft Azure services, including two errors that could be used without authentication for unauthorized access to cloud resources.
The security issues discovered by Orca between October 8, 2022 and December 2, 2022 in Azure API Management, Azure Functions, Azure Machine Learning and Azure Digital Twins have since been fixed by Microsoft, the latter was closed on December 20.
Among the main problems are the following:
- SSRF without authentication in Azure Digital Twins Explorer due to a vulnerability in the /proxy/blob endpoint that can be used to get a response from any service with the suffix "blob.core.windows[.]net".
- SSRF without authentication in Azure functions that can be used to enumerate local ports and access internal endpoints.
- An authenticated SSRF in the Azure API Management Service, which can be used to get a list of internal ports, including the port associated with the source code management service, which can then be used to access confidential files.
- Authenticated SSRF in Azure Machine Learning service via endpoint /datacall/streamcontent, which can be used to extract content from arbitrary endpoints.
The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports, discover new services, endpoints, and confidential files. This information regarding vulnerable servers and services is of high value when planning initial access and subsequent goal setting.
Two vulnerabilities affecting the functions of Azure and Azure Digital Twins can be exploited without any authentication, which allows an attacker to take control of the server without even having an Azure account.
SSRF attacks can have serious consequences because they allow an attacker to read or modify internal resources and, even worse, switch to other hosts, hack systems to extract valuable data.
Three vulnerabilities are rated as important in severity, and the SSRF vulnerability affecting Azure machine learning is rated as low. All weak points can be used to manipulate the server in order to carry out further attacks against a vulnerable target.
Orca researchers note that all four vulnerabilities can be exploited via XXE (external XML object), SVG files, proxy server, PDF rendering, or a vulnerable query string in the URL.
To reduce the risk of threats, users are advised to check all input data, make sure that the servers are configured to allow only the necessary incoming and outgoing traffic, avoid incorrect configurations and adhere to the principle of least privilege (PoLP).
Later, Microsoft published a blog post explaining that the vulnerabilities had a low severity rating because they did not allow access to confidential information or Azure server services.
