Summary
Microsoft recently fixed a set of Server-Side Request Forgery (SSRF) vulnerabilities in four Azure services (Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins) reported by Orca Security. These SSRF vulnerabilities were determined to be low risk as they do not allow access to sensitive information or Azure backend services. Once these SSRF vulnerabilities were reported, Microsoft quickly took the necessary steps to resolve each vulnerability by implementing additional input validation for the vulnerable URLs. Microsoft also conducted a thorough investigation and determined that these SSRF vulnerabilities could not be used to access metadata, connect to internal services, access unauthorized data, or obtain cross tenant access. No customer action is required for the four impacted Azure services.
The impact of SSRF vulnerabilities can vary depending on the environment but can enable access to sensitive internal endpoints or port scanning. Microsoft has mechanisms in place to prevent privilege abuse such as the unauthorized retrieval of tokens, lateral movement or code execution. As such, these four vulnerabilities did not result in any material impact to Azure services or infrastructure.
Technical Details
The following are the 4 Azure Services in which SSRF vulnerabilities were reported. Once these were reported, Microsoft engineering and security teams quickly took steps to mitigate these vulnerabilities.
-
Azure Digital Twins: A SSRF vulnerability was reported on October 8, 2022 in the hosted Digital Twins Explorer. A fix was released on October 17, 2022. Azure Digital Twins has mechanisms to prevent IDMS and wireserver access preventing access other internal Azure services.
-
Azure Functions: A SSRF vulnerability was reported on November 12, 2022, in Azure Functions Service that could allow an unauthenticated user to request an arbitrary URL allowing an attacker to enumerate local port information. A fix was released on December 9, 2022.
-
API Management: A SSRF vulnerability reported on November 12, 2022 in Azure API Management Service could allow an authenticated user to request loopback URLs abusing the server. On November 16, 2022, the APIM engineering team completed deploying a fix to sufficiently block access to local ports/resources on the VM.
-
Azure Machine Learning (ML): The authenticated SSRF vulnerability reported on December 2, 2022 in the machine learning service was assessed to be low risk as it did not leak any sensitive data or tokens and did not enable access to sensitive internal endpoints. The fix was released on December 20, 2022.
Acknowledgement
We appreciate the opportunity to investigate the findings reported by Orca Security, which helped us further harden the service, and thank them for practicing safe security research under the terms of the Microsoft Bug Bounty Program. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research.
References
Questions? Open a support case through the Azure Portal at aka.ms/azsupt .
Orca’s blog: https://orca.security/resources/blog/ssrf-vulnerabilities-in-four-azure-services