“Azure Cloud’s Critical Security Breaches Get Fixed by Microsoft’s Timely Patches”

On May 4th, the Ermetic Research Team reported the discovery of three high-risk vulnerabilities in the Azure API Management Service that could have allowed cybercriminals to access sensitive information on targeted services, deny access to servers, or scan internal networks to mount further attacks. These vulnerabilities could have allowed cyber attackers to access sensitive data stored on the targeted server, overload targeted servers using DoS attacks, and identify potential targets for further attacks. The bugs include two Server-Side Request Forgery (SSRF) vulnerabilities and a file upload path traversal on an internal Azure workload. Azure API Management Service allows organizations to create, manage, secure, and monitor APIs across all their environments.

The researchers disclosed that SSRF allows attackers to send manipulated requests from a vulnerable server to a targeted internal or external server, service, or even target it in a DoS attack, potentially causing significant damage to the victim. The vulnerabilities patched by Microsoft locally impacted central servers that “masses of users and organizations depend on for day-to-day operations,” said Liv Matan, a Cloud Security Researcher at Ermetic. This means that using them, attackers could fake requests from these legitimate servers, access internal services that may contain sensitive information belonging to Azure customers, and even prevent the availability of the vulnerable servers.

The file upload path traversal vulnerability discovered in Azure API Management Service allowed for an unrestricted file upload to the Azure developer portal server, enabling the developer portal to upload static files and images that would be shown on a developer’s dedicated portal. This flaw had the potential to allow attackers not only to take advantage of Microsoft‘s self-hosted developer portal but also to weaponize the vulnerability against end-users. This information is particularly concerning since the Azure-hosted developer portal contains sensitive customer information that would have been at risk if the vulnerability had been exploited.

This is not the first time that Microsoft has had to address vulnerabilities in its Azure Cloud platform. Earlier, the company had already patched four SSRF flaws in four different Azure services, two of which could have allowed attackers to execute remote code execution without authentication to a legitimate account. In one instance, researchers found a “dangerous” flaw in Microsoft‘s Azure Service Fabric component, which would have allowed an unauthenticated malicious actor to execute code on a container hosted on the platform.

While cloud service platforms like Azure have demonstrated vulnerability to cybersecurity breaches, organizations can take proactive measures to protect themselves from further damage. Liv Matan recommends that organizations practice proper input-validation hygiene and configure their servers to not follow redirects. He adds that for avoiding further compromise in these cases, organizations should validate all input received from untrusted sources, such as user inputs or HTTP requests. Other steps organizations could take to avoid compromise in these cases include implementing a strong firewall to restrict outgoing traffic from applications to only necessary services and ports, isolating data, and managing permissions on the server in cloud environments using IMDSv2.

In conclusion, organizations that rely on cloud services like Azure must remain vigilant at all times and ensure they have security mechanisms in place. Further, cloud companies like Microsoft must make cybersecurity a top priority. Addressing vulnerabilities quickly and transparently and regularly reviewing and changing security protocols is vital in protecting customers’ critical data.