Microsoft has patched three new vulnerabilities in the Azure API Management service which includes two Server-Side Request Forgery (SSRF) vulnerabilities and a file upload path traversal on an internal Azure workload, according to cybersecurity firm Ermetic.
The vulnerabilities were achieved through url formatting bypasses and an unrestricted file upload functionality in the API Management developer portal, Ermetic said. The cybersecurity firm identified the vulnerabilities in December and Microsoft patched them in January.
“By abusing the SSRF vulnerabilities, attackers could send requests from the service’s CORS [cross-origin resource sharing] Proxy and the hosting proxy itself, access internal Azure assets, deny service, and bypass web application firewalls,” Ermetic said in a research alert Thursday, adding that via the file upload path traversal, attackers also could upload malicious files to Azure’s hosted internal workload and to self-hosted developer portals.
SSRF vulnerability bypasses the previous fix
Of the two separate SSRF vulnerabilities that were identified, one affected the Azure API Management CORS Proxy and the other affected the Azure API Management Hosting Proxy.
The Azure API Management CORS Proxy was initially believed to be a duplicate of a previously reported vulnerability that was patched by Microsoft. However, it was later discovered that the vulnerability bypasses that initial fix. Microsoft ultimately patched the vulnerability fully in January.
The SSRF vulnerabilities affected central servers that many users and organisations depend on for day-to-day operations. "Using them, attackers could fake requests from these legitimate servers, access internal services that may contain sensitive information belonging to Azure customers, and even prevent the availability of the vulnerable servers," Ermetic said in the research.
Path transverse vulnerability's impact beyond Azure
Azure does not validate the file type and path of the files uploaded on the Azure developer portal for the API Management service. “Authenticated users can traverse the path specified when uploading the files, upload malicious files to the developer portal server and possibly execute code on it using DLL hijacking, iisnode config swapping, or any other relevant attack vector," Ermetic said.
The developer portal also has a self-hosting feature indicating that the vulnerability affects not only Azure but also end users who have deployed the developer portal themselves, according to Ermetic.
Recently identified vulnerabilities in Azure
Recently, there have been a few other, critical vulnerabilities identified in Azure.
Last month, a "by-design" flaw was identified in Microsoft Azure that could be exploited by attackers to gain access to storage accounts, move laterally in computing environments, and even execute remote code, according to research from cybersecurity firm Orca.
To prevent exploits of the flaw, researchers advised that organizations should disable Azure Shared Key authorisation and use Azure Active Directory authentication instead. Organizations should also implement the principle of least privilege access so that this risk can be greatly reduced, Orca said.
In January, Ermetic identified a remote code execution vulnerability affecting services such as Function Apps, App Service, Logic Apps on Azure Cloud, and other cloud services. The vulnerability, dubbed EmojiDeploy, is achieved through cross-site address forgery (CSRF) on the ubiquitous software change management (SCM) service Kudu. By abusing the vulnerability, attackers can deploy malicious zip files containing a payload to the victim's Azure application.