January 18, 2023

Orca, a cloud security firm, has disclosed details on four server-side request forgery (SSRF) vulnerabilities that affects Azure devices like Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.

Three of the Azure flaws were classified as “Important,” while one was classified as “Low.” Microsoft patched all four SSRF flaws. While two of these flaws could have been exploited without requiring authentication. The four SSRF flaws only affect cloud software and do not affect local software in Azure customer environments.

According to Lidor Ben Shitrit, cloud security researcher at Orca, and Dror Zalman, director of cloud security research at Orca, the vulnerabilities in two instances involving Azure Functions and Azure Digital Twins did not require authentication, so an attacker could exploit them without an Azure account.

The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports for new services, endpoints, and files. This provided useful information on potentially vulnerable servers and services to exploit for initial entry, as well as the location of potentially vulnerable information.

Microsoft was notified of the research and has since confirmed that the vulnerabilities have been fixed.

The sources for this piece include an article in TheHackerNews