Security researchers have disclosed three now-patched vulnerabilities they discovered in Microsoft’s Azure API Management service.
The service acts as a publishing hub for a company’s APIs, and provides a platform to create, manage, secure and analyse APIs.
Ermetic researchers said they found two server-side request forgery (SSRF) bugs, and an arbitrary file upload bug.
Exploiting the SSRF vulnerabilities could result in denial-of-service, web application firewall bypass, and access to internal Azure assets, they said.
The file upload vulnerability would let an attacker upload files to Azure’s “hosted internal workload” and to “self-hosted developer portals”.
One of the SSRFs involved the service’s Cross-Origin Resource Sharing (CORS) proxy.
A bug reported by another company was fixed in November 2022, and Ermetic’s bug bypassed that fix. It was reported in December 2022 and patched in January 2023.
By manipulating the requested URL, the researchers “managed to get a full SSRF with a reflected response on the CORS Proxy of the Azure API Management service."
“This enabled us to send the SSRF with a chosen HTTP verb/method”, they added, yielding access to Azure internal services.
The other SSRF was in the Azure API Management hosting proxy: the researchers found that policy management in the system gave them internal Azure resources.
The file upload bug they discovered was an unrestricted file upload path traversal in the API Management developer portal, Ermetic said.
"Our finding affects not only Azure itself but also end-users who have deployed the developer portal themselves," the researchers said.
“We found that Azure does not validate the file type and path of the files uploaded.
"Authenticated users can traverse the path specified when uploading the files, upload malicious files to the developer portal server and possibly execute code on it using DLL hijacking, iisnode config swapping or any other relevant attack vector.”
