Vulnerabilities in four Microsoft Azure services, which posed the risk of leading to the exposure of customer data, were discovered by the research team at cloud security company Orca Security, the researchers disclosed.
Microsoft has now fixed all of the vulnerabilities in the Azure services, the Orca research team said.
CRN has reached out to Microsoft for comment.
The findings are the latest public cloud services vulnerabilities to be discovered by outside researchers—an effort that Orca Security and other cloud security companies, including Wiz and Palo Alto Networks, have been spearheading amid the ever-climbing adoption of the cloud.
It’s crucial for these vulnerabilities to be uncovered and fixed before hackers can exploit them because “as organizations move more toward the cloud, the attacker is moving to the cloud as well,” Dror Zalman, threat research team leader at Orca Security, told CRN.
Four vulnerabilities were discovered between October and December 2022 and affected the Azure API Management, Azure Functions, Azure Machine Learning and Azure Digital Twins services.
The flaws all fall into the category known as Server Side Request Forgery (SSRF) vulnerabilities.
If exploited, an SSRF vulnerability could allow for a server’s request to a service to be manipulated, potentially leading to malicious activity such as data theft or alterations to internal resources.
In the case of the vulnerability that affected Azure API Management, for instance, the Orca researchers discovered the potential for retrieving “some very sensitive data” by exploiting the vulnerability, said cloud threat researcher Lidor Ben Shitrit.
Meanwhile, for the vulnerabilities that affected Azure Functions and Azure Digital Twins, the Orca research team found that it was able to exploit the flaws without logging in to an Azure account.
Orca researchers notified the Microsoft Security Response Center about the vulnerabilities after the flaws were discovered, and Microsoft quickly fixed the issues, according to Orca.
While the potential for a breach of Azure services was averted in this case, the risk posed by SSRF vulnerabilities was recently underscored in the cyberattack against the Rackspace Hosted Exchange service.
The December ransomware attack against the service was enabled by a zero day exploit associated with a Microsoft Exchange vulnerability (CVE-2022-41080), Rackspace disclosed, which has been identified as an SSRF vulnerability by CrowdStrike.
Hackers gained access to data from 27 Rackspace Hosted Exchange customers during the ransomware attack, but nearly 30,000 customers in all had been using the service and at least some are still waiting to have their historical emails provided to them by Rackspace.
In response to an inquiry about the status of customers’ PST files, a Rackspace representative referred CRN to a page about the incident that was last updated on Jan. 5.
