Orca identifies four Microsoft Azure services susceptible to server-side request forgery

Share post:

Orca, a cloud security firm, has disclosed details on four server-side request forgery (SSRF) vulnerabilities that affects Azure devices like Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins.

Three of the Azure flaws were classified as “Important,” while one was classified as “Low.” Microsoft patched all four SSRF flaws. While two of these flaws could have been exploited without requiring authentication. The four SSRF flaws only affect cloud software and do not affect local software in Azure customer environments.

According to Lidor Ben Shitrit, cloud security researcher at Orca, and Dror Zalman, director of cloud security research at Orca, the vulnerabilities in two instances involving Azure Functions and Azure Digital Twins did not require authentication, so an attacker could exploit them without an Azure account.

The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports for new services, endpoints, and files. This provided useful information on potentially vulnerable servers and services to exploit for initial entry, as well as the location of potentially vulnerable information.

Microsoft was notified of the research and has since confirmed that the vulnerabilities have been fixed.

The sources for this piece include an article in TheHackerNews

SUBSCRIBE NOW

Related articles

North Korean Job Scam Targeting IT Job Seekers

North Korea’s Lazarus advanced persistent threat (APT) group has launched a sophisticated campaign, “Operation 99,” targeting freelance software...

Hackers Exploit FastHTTP in High-Speed Microsoft 365 Attacks

Threat actors are employing the FastHTTP Go library to launch high-speed brute-force password attacks on Microsoft 365 accounts...

YouTubers Targeted As Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

Attackers have found a new way to infect people seeking pirated or cracked software: planting malicious download links...

New macOS Malware Exploits Apple’s Security Features to Stay Hidden and Steal User Data

A newly discovered variant of the Banshee macOS Stealer malware is putting 100 million Apple users at risk...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways