Cyber Security News

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could allow attackers with minimal privileges to escalate their access and take full control over the APIM service.

These vulnerabilities were reported to Microsoft, leading to some fixes. However, certain issues remain unresolved, exposing many users unless they manually disable legacy API versions.

Vulnerabilities in Azure API Management

Azure API Management is Microsoft’s cloud-based offering for managing APIs at scale.

It provides features like API definition, security policies, and rate limiting essential for enterprise-grade API management.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

However, vulnerabilities in the older versions of its Azure Resource Manager (ARM) API have exposed a significant attack vector for privilege escalation.

Vulnerabilities in Azure API Management

The primary issue revolves around the use of older API versions. Despite Microsoft’s updates, old versions of the ARM API are still accessible and can be exploited by attackers.

These APIs allow users with Reader permissions—only meant to have read-only access—to perform actions reserved for administrators. These actions include:

  • Deploying new APIs
  • Modifying existing APIs
  • Reading sensitive secrets and subscription keys

A notable vulnerability involves subscription keys, secrets used to grant access to APIs in APIM.

Attackers with Reader privileges can dump all subscription keys by manipulating API calls to older ARM API versions, bypassing restrictions Microsoft introduced in newer versions.

For example, an outdated API call like the one shown below can retrieve all subscription keys:

GET /Microsoft.ApiManagement/service/tmp-apim-sf/subscriptions?api-version=2014-02-14&$top=20 HTTP/1.1
Host: management.azure.com
Authorization: Bearer eyJ…

The most severe vulnerability allows attackers to escalate privileges from a Reader to a full Administrator role.

By exploiting legacy API endpoints, attackers can retrieve a Shared Access Signature (SAS) token, granting them administrative access to the APIM service.

Here’s an example of the API call that retrieves the SSO token, which can be exploited to gain full control:

GET /providers/Microsoft.ApiManagement/service/tmp-apim-sf/getssotoken?api-version=2016-07-07 HTTP/1.1
Host: management.azure.com
Authorization: Bearer eyJ…

The returned token lets the attacker authenticate as an administrator, compromising the entire service.

Microsoft has introduced a toggle called “Disable old API versions” to reduce this risk. However, the toggle is not enabled by default, leaving many APIM services vulnerable.

Binary Security criticized Microsoft’s handling of the issue, pointing out that while some fixes were implemented, key vulnerabilities remain exploitable.

The company also noted that Microsoft’s communication regarding these vulnerabilities was lacking.

While Microsoft has addressed some vulnerabilities in Azure API Management, the remaining issues highlight the importance of staying vigilant and applying best practices for cloud security.

Enterprises using APIM should ensure legacy APIs are disabled and take proactive steps to secure their API environments against privilege escalation attacks.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!



Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

1 day ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

2 days ago

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…

2 days ago

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…

2 days ago

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…

2 days ago

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…

2 days ago