Monday, December 9, 2024
HomeAzureAzure API Management Vulnerabilities Let Attackers Escalate Privileges

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Published on

SIEM as a Service

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could allow attackers with minimal privileges to escalate their access and take full control over the APIM service.

These vulnerabilities were reported to Microsoft, leading to some fixes. However, certain issues remain unresolved, exposing many users unless they manually disable legacy API versions.

Vulnerabilities in Azure API Management

Azure API Management is Microsoft’s cloud-based offering for managing APIs at scale.

- Advertisement - SIEM as a Service

It provides features like API definition, security policies, and rate limiting essential for enterprise-grade API management.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

However, vulnerabilities in the older versions of its Azure Resource Manager (ARM) API have exposed a significant attack vector for privilege escalation.

Vulnerabilities in Azure API Management

The primary issue revolves around the use of older API versions. Despite Microsoft’s updates, old versions of the ARM API are still accessible and can be exploited by attackers.

These APIs allow users with Reader permissions—only meant to have read-only access—to perform actions reserved for administrators. These actions include:

  • Deploying new APIs
  • Modifying existing APIs
  • Reading sensitive secrets and subscription keys

A notable vulnerability involves subscription keys, secrets used to grant access to APIs in APIM.

Attackers with Reader privileges can dump all subscription keys by manipulating API calls to older ARM API versions, bypassing restrictions Microsoft introduced in newer versions.

For example, an outdated API call like the one shown below can retrieve all subscription keys:

GET /Microsoft.ApiManagement/service/tmp-apim-sf/subscriptions?api-version=2014-02-14&$top=20 HTTP/1.1
Host: management.azure.com
Authorization: Bearer eyJ…

The most severe vulnerability allows attackers to escalate privileges from a Reader to a full Administrator role.

By exploiting legacy API endpoints, attackers can retrieve a Shared Access Signature (SAS) token, granting them administrative access to the APIM service.

Here’s an example of the API call that retrieves the SSO token, which can be exploited to gain full control:

GET /providers/Microsoft.ApiManagement/service/tmp-apim-sf/getssotoken?api-version=2016-07-07 HTTP/1.1
Host: management.azure.com
Authorization: Bearer eyJ…

The returned token lets the attacker authenticate as an administrator, compromising the entire service.

Microsoft has introduced a toggle called “Disable old API versions” to reduce this risk. However, the toggle is not enabled by default, leaving many APIM services vulnerable.

Binary Security criticized Microsoft’s handling of the issue, pointing out that while some fixes were implemented, key vulnerabilities remain exploitable.

The company also noted that Microsoft’s communication regarding these vulnerabilities was lacking.

While Microsoft has addressed some vulnerabilities in Azure API Management, the remaining issues highlight the importance of staying vigilant and applying best practices for cloud security.

Enterprises using APIM should ensure legacy APIs are disabled and take proactive steps to secure their API environments against privilege escalation attacks.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!



Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and...

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin...

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its...

Qlik Sense for Windows Vulnerability Allows Remote Code Execution

Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and...

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin...

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its...