Four New Microsoft Azure Vulnerabilities Found By Orca Security

Microsoft has fixed all of the issues, which could have put customer data at risk if attackers had found the vulnerabilities first.

ARTICLE TITLE HERE

Vulnerabilities in four Microsoft Azure services, which posed the risk of leading to the exposure of customer data, were discovered by the research team at cloud security company Orca Security, the researchers disclosed Tuesday.

Microsoft has now fixed all of the vulnerabilities in the Azure services, the Orca research team said. In a blog post, Microsoft confirmed that the issues have been addressed, and said customers don’t need to take any action.

The findings are the latest public cloud services vulnerabilities to be discovered by outside researchers—an effort that Orca Security and other cloud security companies, including Wiz and Palo Alto Networks, have been spearheading amid the ever-climbing adoption of the cloud.

id
unit-1659132512259
type
Sponsored post

[Related: Wiz: Vulnerability In Microsoft Azure Database Allowed Access To Sensitive Customer Data]

It’s crucial for these vulnerabilities to be uncovered and fixed before hackers can exploit them because “as organizations move more toward the cloud, the attacker is moving to the cloud as well,” Dror Zalman, threat research team leader at Orca Security, told CRN.

The four vulnerabilities were discovered between October and December 2022 and affected the Azure API Management, Azure Functions, Azure Machine Learning and Azure Digital Twins services.

The flaws all fall into the category known as Server Side Request Forgery (SSRF) vulnerabilities. If exploited, an SSRF vulnerability could allow for a server’s request to a service to be manipulated, potentially leading to malicious activity such as data theft or alterations to internal resources.

In the case of the vulnerability that affected Azure API Management, for instance, the Orca researchers discovered the potential for retrieving “some very sensitive data” by exploiting the vulnerability, said cloud threat researcher Lidor Ben Shitrit.

Meanwhile, for the vulnerabilities that affected Azure Functions and Azure Digital Twins, the Orca research team found that it was able to exploit the flaws without logging in to an Azure account.

Orca researchers notified the Microsoft Security Response Center about the vulnerabilities after the flaws were discovered, and Microsoft quickly fixed the issues, according to Orca.

In its blog post, Microsoft said an investigation concluded that the four SSRF vulnerabilities were “low risk” and that they “could not be used to access metadata, connect to internal services, access unauthorized data, or obtain cross tenant access.” Security measures put in place by the company ensured that the four vulnerabilities “did not result in any material impact to Azure services or infrastructure,” Microsoft said.

While the potential for a breach of Azure services was averted in this case, the risk posed by SSRF vulnerabilities was recently underscored in the cyberattack against the Rackspace Hosted Exchange service.

The Dec. 6 ransomware attack against the service was enabled by a zero day exploit associated with a Microsoft Exchange vulnerability (CVE-2022-41080), Rackspace disclosed, which has been identified as an SSRF vulnerability by CrowdStrike.

Hackers gained access to data from 27 Rackspace Hosted Exchange customers during the ransomware attack, but nearly 30,000 customers in all had been using the service and at least some are still waiting to have their historical emails provided to them by Rackspace. Jerry Zigmont, owner of New Haven, Conn.-based consultancy MacWorks, told CRN that several of his customers are awaiting the delivery of the PST (personal storage table) files that are needed to restore their historical emails to their new email service.

“None of my clients have been made whole after this hack,” Zigmont said.

In response to an inquiry about the status of customers’ PST files, a Rackspace representative referred CRN to a page about the incident that was last updated on Jan. 5.