Microsoft has patched vulnerabilities in the Azure API Management service, which includes two server-side Request forgery vulnerabilities and a file upload path traversal on an internal Azure workload.
The vulnerabilities were achieved through url formatting bypasses and an unrestricted file upload functionality in the API Management developer portal.
The Azure API Management is a managed PaaS designed to let organizations develop and securely manage APIs across hybrid and multicloud computing environments.
The two SSRF vulnerabilities that were identified, one affected the Azure API Management CORS Proxy, and the other affected the Azure API Management Hosting Proxy.
By abusing the SSRF vulnerabilities, attackers could send requests from the service’s CORS Proxy and the hosting proxy itself, access internal Azure assets, deny service, and bypass web application firewalls. Attackers also could upload malicious files to Azure’s hosted internal workload and to self-hosted developer portals.
Azure does not validate the file type and path of the files uploaded on the Azure developer portal for the API Management service. Authenticated users can traverse the path specified when uploading the files, upload malicious files to the developer portal server and possibly execute code on it using DLL hijacking, iisnode config swapping, or any other relevant attack vector.
The developer portal also has a self-hosting feature indicating that the vulnerability affects not only Azure but also end users who have deployed the developer portal themselves.
The Azure API Management CORS Proxy was initially believed to be a duplicate of a previously reported vulnerability that was patched by Microsoft. However, it was later discovered that the vulnerability bypasses that initial fix. Microsoft ultimately patched the vulnerability fully in January.