Azure API Management Vulnerability Let Attackers Escalate Privileges

A vulnerability in Azure API Management (APIM) has been identified. It allows attackers to escalate privileges and access sensitive information.

This issue arises from a flaw in the Azure Resource Manager (ARM) API, which permits unauthorized access to critical resources.

This article delves into the specifics of the vulnerability, its implications, and the steps taken to mitigate the risk.

Understanding the ARM API Vulnerability

The Azure Resource Manager (ARM) API manages Azure resources, including APIM instances.

When users with Reader permissions access an APIM resource, the ARM API typically restricts certain actions, as a report by BinarySecurity.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

However, older versions of the ARM API allowed users with Reader access to view all subscription keys, read client credentials of identity provider service principals, and access keys for the Direct Management API.

To address these issues, Microsoft introduced a feature to enforce a minimum ARM API version, thereby blocking older, vulnerable versions.

By setting this restriction to an API version newer than 2020, users with Reader access are prevented from viewing subscription keys and other sensitive information.

Despite these measures, a bug bypassed these restrictions by allowing access to admin user keys.

The Direct Management API: A Closer Look

The Direct Management API is a crucial component of an APIM instance. It enables operations on entities such as users, groups, products, and subscriptions.

An Admin user is created with extensive permissions over these entities by default. The vulnerability lies in the ability of users with Reader privileges to exploit an overlooked ARM API endpoint and gain unauthorized access.

Here is an example of how attackers could exploit this vulnerability:

GET /subscriptions/<subscription>/resourceGroups/<resource_group>/providers/Microsoft.ApiManagement/service/<instance_name>/users/1/keys?api-version=2023-03-01-preview HTTP/2

Host: management.azure.com

Authorization: Bearer <legitimate_arm_bearer_token>

This request allows attackers to retrieve admin user keys and generate Shared Access Signatures (SAS), granting further access to sensitive data.

Demonstrating the Exploit

The vulnerability can be demonstrated by accessing admin user keys and generating SAS tokens.

These tokens can be used to interact with the APIM Management API and perform unauthorized actions:

def get_expiry(self):
    return (datetime.datetime.utcnow() + datetime.timedelta(hours=24)).strftime("%Y-%m-%dT%H:%M:%S.0000000Z")
def generate_apim_sas_token(self, key, uid, version=1):
    exp = self.get_expiry()
    if version == 1:
        message = f"uid={uid}&ex={exp}"
        message_to_sign = f"{uid}\n{exp}"
        signature = base64.b64encode(self.hmac_sha512(message_to_sign, key)).decode("utf-8")
        sas_token = f"{message}&sn={signature}"
    return sas_token

With these tokens, attackers can list subscription keys or identity provider keys:

/subscription/0/resourceGroups/0/providers/Microsoft.ApiManagement/service/0/subscriptions/<sub_id>/listSecrets?api-version=2022-08-01 HTTP/1.1
Host: <service>.management.azure-api.net
Authorization: SharedAccessSignature uid=1&ex=2024-05-01T00:00:00:000000Z&sn=ABCDEFG==
Content-Length: 0
Content-Type: application/json

Remediation and Future Precautions

Microsoft addressed this vulnerability by restricting the ARM API for users with Reader privileges.

The fix was implemented swiftly and retroactively applied to all APIM instances. Despite this resolution, similar vulnerabilities may emerge in the future.

To enhance security and build defense in depth, it is recommended that critical Azure resources be made private and accessible only from their virtual networks (VNETs).

Additionally, organizations should consider deploying security measures such as CI/CD runners to monitor and manage resource access.

The vulnerability was classified as having a vital severity level with a security impact of elevation of privilege.

As cloud environments evolve, vigilance and proactive security measures remain essential in protecting sensitive data and maintaining system integrity.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar