According to cybersecurity firm Ermetic, Microsoft has patched three new vulnerabilities in the Azure API Management service that include two server-side request forgery (SSRF) vulnerabilities and a file upload path in a internal Azure workload.
The vulnerabilities were achieved through URL format omissions and unrestricted file upload functionality in the API Management developer portal, Ermetic said. The cybersecurity firm identified the vulnerabilities in December, and Microsoft patched them in January.
Azure API Management is a managed platform as a service (PaaS) designed to enable enterprises to securely develop and manage APIs in hybrid and multi-cloud computing environments.
“By abusing the SSRF vulnerabilities, attackers could send requests from the CORS of the service [cross-origin resource sharing] The proxy server and the hosting proxy server itself access internal Azure assets, deny service, and bypass web application firewalls,” Ermetic said in a research alert on Thursday, adding that through file upload path path, attackers could also upload malicious files to internal Azure hosted workloads and self-hosted developer portals.
The SSRF vulnerability bypasses the previous fix
Of the two SSRF vulnerabilities identified, one affected the Azure API Management CORS Proxy and the other affected the Azure API Management Hosting Proxy.
The Azure API Management CORS Proxy was initially believed to be a duplicate of a previously reported vulnerability that was patched by Microsoft. However, it was later discovered that the vulnerability bypasses this initial fix. Microsoft finally fully patched the vulnerability in January.
SSRF vulnerabilities affected central servers that many users and organizations depend on for day-to-day operations. “Using them, attackers could spoof requests from these legitimate servers, access internal services that may contain sensitive Azure customer information, and even prevent the availability of vulnerable servers,” Ermetic told the research
Impact of cross-path vulnerability beyond Azure
Azure does not validate the file type and path of files uploaded to the Azure Developer Portal for the API Management Service. “Authenticated users can traverse the specified path when uploading files, upload malicious files to the developer portal server, and possibly execute code there via DLL hijacking, iisnode configuration sharing, or any other relevant attack vector” , said Ermetic.
According to Ermetic, the developer portal also has an auto-host feature indicating that the vulnerability not only affects Azure, but also end users who have deployed the developer portal.
Recently identified vulnerabilities in Azure
There have been a few other critical vulnerabilities identified in Azure recently.
Last month, a “design” flaw in Microsoft Azure was identified that could be exploited by attackers to access storage accounts, move laterally in computing environments and even execute remote code, according to research by the cyber security Orca.
To prevent exploits of the flaw, the researchers advised that organizations should disable Azure Shared Key Authorization and use Azure Active Directory authentication instead. Organizations should also implement the principle of least privilege access so that risk can be greatly reduced, Orca said.
In January, Ermetic identified a remote code execution vulnerability affecting services such as Function Apps, App Service, Logic Apps in Azure Cloud and other cloud services. The vulnerability, called EmojiDeploy, is achieved through cross-site address forgery (CSRF) in the ubiquitous Kudu Software Change Management (SCM) service. By exploiting the vulnerability, attackers could deploy malicious zip files containing a payload to the victim’s Azure application.
Copyright © 2023 IDG Communications, Inc.
Microsoft has recently released a patch which resolves three vulnerabilities in Azure API Management. This important update to Microsoft’s cloud platform services highlights the importance for organisations to stay topped up on the software and security protocols for their tech-based operations.
The update was released on the 17th of November and was designed to address several safety issues, including the coding-based vulnerability related to the “Role Token” system. The vulnerability has been categorised as “Important” and Microsoft’s support bulletin stated that “an attacker could use the vulnerability to gain access to the application and in turn, could gain control of it.”
The patch, which is applied automatically, adds a revoking system that cuts off access to applications with potential illegitimate sources. This is in addittion to an updated automatic logout system.
Ikaroa, a full stack tech company, works with clients to ensure databases, systems, and cloud-based services are updated to the latest security protocols and are meeting the very highest in cybersecurity standards. Our experienced technical staff is trained to recognise the vital importance of updates and patches in these areas.
Microsoft’s patch to the Azure API Management is yet another example of this vital importance for organisations and businesses to be provided with the latest in secure operation. At Ikaroa, we understand that keeping systems up to date and secure is a continual process and our clients can trust us to provide them with the punctual and essential security patches they need.