Researchers at the security firm Orca discovered that four different Microsoft Azure services were vulnerable to server-side request forgery (SSRF) attacks. Threat actors could have exploited the flaws to gain unauthorized access to cloud resources.
Vulnerable services included Azure API Management, Azure Functions, Azure Machine Learning and Azure Digital Twins.
The researchers successfully exploited two vulnerabilities without requiring any authentication on the Azure Functions and Azure Digital Twins services. The attacks allowed the experts to send requests in the name of the server without even having an Azure account.
“The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports, find new services, endpoints, and files – providing valuable information on possibly vulnerable servers and services to exploit for initial entry and the location of potential information to target.” reads the analysis published by Orca.
The experts pointed out that SSRF vulnerabilities can allow attackers with access to the host’s IMDS (Cloud Instance Metadata Service), to retrieve detailed info on instances (i.e. hostname, security group, MAC address and user-data) and potentially retrieve tokens, perform lateral movement and execute arbitrary code.
Orca researchers did not manage to reach any IMDS endpoints due to various SSRF mitigations implemented by Microsoft.