Microsoft patches Azure vulnerabilities found and disclosed by Orca.
Orca describes four Azure vulnerabilities.
Researchers at Orca Security discovered four Server Side Request Forgery (SSRF) vulnerabilities affecting Microsoft Azure instances, two of which could be exploited without authentication. Microsoft has since patched the flaws.
Four services affected by SSRF issues.
The affected services were Azure API Management, Azure Functions, Azure Machine Learning and Azure Digital Twins. All four of the flaws were Non-Blind SSRF vulnerabilities, which could allow an attacker to “scan local ports, find new services, endpoints, and files – providing valuable information on possibly vulnerable servers and services to exploit for initial entry and the location of potential information to target.”
Unauthenticated access to Azure.
The vulnerabilities affecting Azure Functions and Azure Digital Twins didn’t require authentication, allowing an attacker to exploit the flaws without creating an Azure account.
The researchers conclude, “The most notable aspect of these discoveries is arguably the number of SSRF vulnerabilities we were able to find with only minimal effort (including another SSRF vulnerability we found last year in Oracle Cloud Services), indicating just how prevalent they are and the risk they pose in cloud environments.”