Binary Security recently uncovered critical vulnerabilities in Microsoft’s Azure API Management (APIM) service, posing serious risks to users. These flaws allow attackers with minimal access privileges to escalate their permissions, potentially taking full control over the APIM service. The vulnerabilities were reported to Microsoft, and while some patches have been implemented, several key issues remain unresolved. These findings underscore the importance for users to actively secure their API environments to prevent exploitation.
The vulnerabilities are linked to outdated versions of the Azure Resource Manager (ARM) API, which is integral to APIM’s operation. APIM offers crucial capabilities for defining, securing, and scaling APIs, making it essential for enterprise environments. However, these older ARM API versions allow users with basic Reader permissions—typically limited to view-only access—to perform administrative actions. Exploitable actions include deploying new APIs, modifying existing ones, and retrieving sensitive subscription keys and secrets, a major security oversight in APIM’s access controls.
One particularly severe flaw involves the potential for attackers to escalate their access by retrieving a Shared Access Signature (SAS) token, which can provide administrative rights to the APIM service. By using outdated API endpoints, attackers can bypass newer security controls and gain unauthorized access to administrator functions. This manipulation is exemplified by API calls using legacy versions, such as an API request for subscription keys using older ARM versions, or a request to retrieve an SSO token that grants full control of the APIM environment.
Microsoft has introduced a toggle setting, “Disable old API versions,” aimed at mitigating these risks by restricting access to outdated API endpoints. However, this toggle is not enabled by default, leaving many APIM instances susceptible to attack. Binary Security has criticized Microsoft’s handling of the issue, noting that while some vulnerabilities were addressed, significant gaps remain. Organizations using Azure APIM are advised to promptly disable legacy API versions and adopt comprehensive security measures to guard against potential privilege escalation attacks.
Reference:
