Reports revealed Microsoft’s Azure API Management has three new security flaws. These flaws could aid malicious actors in gaining access to sensitive information or backend services. The vulnerability includes two server-side request forgery (SSRF) vulnerabilities and unrestricted file upload functionality in the API Management developer portal.
According to Ermetic, an Israeli cloud security firm, one SSRF flaw allows attackers to send requests from the service’s CORS Proxy and hosting proxy, access internal Azure assets, deny service, and bypass web application firewalls. The other vulnerability exists in the API Management proxy function. Liv Matan gave this report according to observations from research.
Attackers could leverage these flaws to upload malicious files to Azure’s hosted internal workload or developer portal server and execute arbitrary code on the underlying system. While one of the SSRF vulnerabilities identified by Ermetic is a bypass for a fix put in place by Microsoft to address a similar vulnerability reported by Orca earlier this year, the other vulnerability stems from a lack of validation of the file type and path of the files uploaded.
The Azure API Management service allows organizations to safely expose their APIs to external and internal customers, providing a wide range of connected experiences. Exploiting SSRF flaws can lead to losing confidentiality and integrity, allowing threat actors to read internal Azure resources and execute unauthorized code. After responsible disclosure, Microsoft patched all three vulnerabilities.
These findings, such as the “by-design flaw” in Microsoft Azure, follow previous discoveries by Orca and other researchers. The vulnerability can help attackers access storage accounts and execute remote code. Another flaw, labelled “EmojiDeploy,” could enable an attacker to take control of a targeted application.
Despite everything, Microsoft assures customers of maximum protection from any attack as work is ongoing to curb the effect of the vulnerability and ensure such never repeats itself.