"Four Azure Services Vulnerable to Sever-Ride Request Forgery Flaws"

Four Microsoft Azure services were discovered to be vulnerable to Server-Side Request Forgery (SSRF), a persistent web security flaw that provides a continuous threat to cloud environments. According to Orca Security, the vulnerable services include Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins. Two vulnerabilities involving Azure Functions and Azure Digital Twins did not require authentication, meaning they could be exploited without an Azure account. Lidor Ben Shitrit, a cloud security researcher at Orca, stated that the most striking part of these discoveries is the quantity of SSRF vulnerabilities they were able to find with minimal effort, showing their prevalence and the risk they pose to cloud environments. A successful SSRF attack could result in an attacker accessing or manipulating internal resources as well as transmitting data to external sources, thus making SSRF attacks highly risky. In addition, if an attacker gains access to a host's IMDS, which is their cloud instance metadata service, they could obtain detailed information on instances, such as the hostname, security group, MAC address, and user data. This could allow them to retrieve tokens, move to another host, and execute code, according to Dror Zalman, director of cloud security research at Orca. This article continues to discuss the Azure services vulnerable to SSRF attacks and the impact of SSRF vulnerabilities. 

SC Media reports "Four Azure Services Vulnerable to Sever-Ride Request Forgery Flaws"