This is the Trace Id: c263935e198a310c0031909c5f0dc823
Skip to main content Report Security Vulnerability Report Abuse Report Infringement Submission FAQs Reporting Vulnerability Security Update Guide Exploitability index Developer API documentation Frequently Asked Questions Technical Security Notifications Glossary Microsoft Bug Bounty Programs Microsoft Active Protections Program BlueHat Security Conference Researcher Recognition Program Windows Security Servicing Criteria Researcher Resource Center Mission Cyber Defense Operations Center Coordinated Vulnerability Disclosure Social Microsoft Security Response Center Security Research & Defense BlueHat Conference Blog Security Researcher Acknowledgments Online Services Researcher Acknowledgments AI Safety Acknowledgements Security Researcher Leaderboard

Microsoft resolves four SSRF vulnerabilities in Azure cloud services

MSRC
/ By MSRC /

Summary

Microsoft recently fixed a set of Server-Side Request Forgery (SSRF) vulnerabilities in four Azure services (Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins) reported by Orca Security. These SSRF vulnerabilities were determined to be low risk as they do not allow access to sensitive information or Azure backend services. Once these SSRF vulnerabilities were reported, Microsoft quickly took the necessary steps to resolve each vulnerability by implementing additional input validation for the vulnerable URLs. Microsoft also conducted a thorough investigation and determined that these SSRF vulnerabilities could not be used to access metadata, connect to internal services, access unauthorized data, or obtain cross tenant access. No customer action is required for the four impacted Azure services.

The impact of SSRF vulnerabilities can vary depending on the environment but can enable access to sensitive internal endpoints or port scanning. Microsoft has mechanisms in place to prevent privilege abuse such as the unauthorized retrieval of tokens, lateral movement or code execution. As such, these four vulnerabilities did not result in any material impact to Azure services or infrastructure.

Technical Details

The following are the 4 Azure Services in which SSRF vulnerabilities were reported. Once these were reported, Microsoft engineering and security teams quickly took steps to mitigate these vulnerabilities.

  • Azure Digital Twins: A SSRF vulnerability was reported on October 8, 2022 in the hosted Digital Twins Explorer. A fix was released on October 17, 2022. Azure Digital Twins has mechanisms to prevent IDMS and wireserver access preventing access other internal Azure services.

  • Azure Functions: A SSRF vulnerability was reported on November 12, 2022, in Azure Functions Service that could allow an unauthenticated user to request an arbitrary URL allowing an attacker to enumerate local port information. A fix was released on December 9, 2022.

  • API Management: A SSRF vulnerability reported on November 12, 2022 in Azure API Management Service could allow an authenticated user to request loopback URLs abusing the server. On November 16, 2022, the APIM engineering team completed deploying a fix to sufficiently block access to local ports/resources on the VM.

  • Azure Machine Learning (ML): The authenticated SSRF vulnerability reported on December 2, 2022 in the machine learning service was assessed to be low risk as it did not leak any sensitive data or tokens and did not enable access to sensitive internal endpoints. The fix was released on December 20, 2022.

Acknowledgement

We appreciate the opportunity to investigate the findings reported by Orca Security, which helped us further harden the service, and thank them for practicing safe security research under the terms of the Microsoft Bug Bounty Program. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research.

References

Questions? Open a support case through the Azure Portal at aka.ms/azsupt .

Orca’s blog: https://orca.security/resources/blog/ssrf-vulnerabilities-in-four-azure-services

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads