Orca identifies four Microsoft Azure services susceptible to server-side request forgery

Share post:

Orca, a cloud security firm, has disclosed details on four server-side request forgery (SSRF) vulnerabilities that affects Azure devices like Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.

Three of the Azure flaws were classified as “Important,” while one was classified as “Low.” Microsoft patched all four SSRF flaws. While two of these flaws could have been exploited without requiring authentication. The four SSRF flaws only affect cloud software and do not affect local software in Azure customer environments.

According to Lidor Ben Shitrit, cloud security researcher at Orca, and Dror Zalman, director of cloud security research at Orca, the vulnerabilities in two instances involving Azure Functions and Azure Digital Twins did not require authentication, so an attacker could exploit them without an Azure account.

The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports for new services, endpoints, and files. This provided useful information on potentially vulnerable servers and services to exploit for initial entry, as well as the location of potentially vulnerable information.

Microsoft was notified of the research and has since confirmed that the vulnerabilities have been fixed.

The sources for this piece include an article in TheHackerNews


Related articles

Cyber Security Today, May 29, 2024 – A new North Korean ransomware gang spotted, and more

A new North Korean ransomware gang spotted, and more Welcome to Cyber Security Today. It's Wednesday, May 29th, 2024....

Microsoft tries to regain trust of government cybersecurity leadership

Microsoft has embarked on an aggressive campaign to restore and enhance its cybersecurity image and regain trust within...

London Drugs refuses to pay ransom – corporate data is leaked

London Drugs, a prominent Canadian retailer, has confirmed a data breach involving sensitive corporate head office files, following...

Cyber Security Today, May 27, 2024 – Security controversy over a new Microsoft tool, a new open source threat intelligence service, and more

Security controversy over a new Microsoft tool, a new open-source threat intelligence service, and more. Welcome to Cyber Security...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways