Cyber Security News

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could allow attackers with minimal privileges to escalate their access and take full control over the APIM service.

These vulnerabilities were reported to Microsoft, leading to some fixes. However, certain issues remain unresolved, exposing many users unless they manually disable legacy API versions.

Vulnerabilities in Azure API Management

Azure API Management is Microsoft’s cloud-based offering for managing APIs at scale.

It provides features like API definition, security policies, and rate limiting essential for enterprise-grade API management.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

However, vulnerabilities in the older versions of its Azure Resource Manager (ARM) API have exposed a significant attack vector for privilege escalation.

Vulnerabilities in Azure API Management

The primary issue revolves around the use of older API versions. Despite Microsoft’s updates, old versions of the ARM API are still accessible and can be exploited by attackers.

These APIs allow users with Reader permissions—only meant to have read-only access—to perform actions reserved for administrators. These actions include:

  • Deploying new APIs
  • Modifying existing APIs
  • Reading sensitive secrets and subscription keys

A notable vulnerability involves subscription keys, secrets used to grant access to APIs in APIM.

Attackers with Reader privileges can dump all subscription keys by manipulating API calls to older ARM API versions, bypassing restrictions Microsoft introduced in newer versions.

For example, an outdated API call like the one shown below can retrieve all subscription keys:

GET /Microsoft.ApiManagement/service/tmp-apim-sf/subscriptions?api-version=2014-02-14&$top=20 HTTP/1.1
Host: management.azure.com
Authorization: Bearer eyJ…

The most severe vulnerability allows attackers to escalate privileges from a Reader to a full Administrator role.

By exploiting legacy API endpoints, attackers can retrieve a Shared Access Signature (SAS) token, granting them administrative access to the APIM service.

Here’s an example of the API call that retrieves the SSO token, which can be exploited to gain full control:

GET /providers/Microsoft.ApiManagement/service/tmp-apim-sf/getssotoken?api-version=2016-07-07 HTTP/1.1
Host: management.azure.com
Authorization: Bearer eyJ…

The returned token lets the attacker authenticate as an administrator, compromising the entire service.

Microsoft has introduced a toggle called “Disable old API versions” to reduce this risk. However, the toggle is not enabled by default, leaving many APIM services vulnerable.

Binary Security criticized Microsoft’s handling of the issue, pointing out that while some fixes were implemented, key vulnerabilities remain exploitable.

The company also noted that Microsoft’s communication regarding these vulnerabilities was lacking.

While Microsoft has addressed some vulnerabilities in Azure API Management, the remaining issues highlight the importance of staying vigilant and applying best practices for cloud security.

Enterprises using APIM should ensure legacy APIs are disabled and take proactive steps to secure their API environments against privilege escalation attacks.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!



Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Researchers Detailed Credential Abuse Cycle

The United States Department of Justice has unsealed an indictment against Anonymous Sudan, a hacking…

17 seconds ago

Rise Of Ransomware-As-A-Service Leads To Decline Of Custom Tools

Ransomware-as-a-Service (RaaS) platforms have revolutionized the ransomware market. Unlike traditional standalone ransomware sales, RaaS offers…

4 mins ago

North Korean Hackers Employing New Tactic To Acruire Remote Jobs

North Korean threat actors behind the Contagious Interview and WageMole campaigns have refined their tactics,…

13 mins ago

CRON#TRAP Campaign Attacks Windows Machine With Weaponized Linux Virtual Machine

Weaponized Linux virtual machines are used for offensive cybersecurity purposes, such as "penetration testing" or…

17 mins ago

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information by…

20 mins ago

ToxicPanda Banking Malware Attacking Banking Users To Steal Logins

Recent research has uncovered a new strain of malware developed for Android devices, initially misidentified…

23 mins ago