Current discoveries by Binary Safety have revealed important vulnerabilities in Azure API Administration (APIM) that might enable attackers with minimal privileges to escalate their entry and take full management over the APIM service.
These vulnerabilities have been reported to Microsoft, resulting in some fixes. Nevertheless, sure points stay unresolved, exposing many customers until they manually disable legacy API variations.
Vulnerabilities in Azure API Administration
Azure API Administration is Microsoft’s cloud-based providing for managing APIs at scale.
It offers options like API definition, safety insurance policies, and fee limiting important for enterprise-grade API administration.
Construct an in-house SOC or outsource SOC-as-a-Service -> Calculate Prices
Nevertheless, vulnerabilities within the older variations of its Azure Useful resource Supervisor (ARM) API have uncovered a big assault vector for privilege escalation.
The first problem revolves round using older API variations. Regardless of Microsoft’s updates, outdated variations of the ARM API are nonetheless accessible and will be exploited by attackers.
These APIs enable customers with Reader permissions—solely meant to have read-only entry—to carry out actions reserved for directors. These actions embrace:
- Deploying new APIs
- Modifying present APIs
- Studying delicate secrets and techniques and subscription keys
A notable vulnerability includes subscription keys, secrets and techniques used to grant entry to APIs in APIM.
Attackers with Reader privileges can dump all subscription keys by manipulating API calls to older ARM API variations, bypassing restrictions Microsoft launched in newer variations.
For instance, an outdated API name just like the one proven under can retrieve all subscription keys:
GET /Microsoft.ApiManagement/service/tmp-apim-sf/subscriptions?api-version=2014-02-14&$prime=20 HTTP/1.1
Host: administration.azure.com
Authorization: Bearer eyJ…Essentially the most extreme vulnerability permits attackers to escalate privileges from a Reader to a full Administrator position.
By exploiting legacy API endpoints, attackers can retrieve a Shared Entry Signature (SAS) token, granting them administrative entry to the APIM service.
Right here’s an instance of the API name that retrieves the SSO token, which will be exploited to achieve full management:
GET /suppliers/Microsoft.ApiManagement/service/tmp-apim-sf/getssotoken?api-version=2016-07-07 HTTP/1.1
Host: administration.azure.com
Authorization: Bearer eyJ…The returned token lets the attacker authenticate as an administrator, compromising the complete service.
Microsoft has launched a toggle referred to as “Disable outdated API variations” to cut back this threat. Nevertheless, the toggle just isn’t enabled by default, leaving many APIM providers susceptible.
Binary Safety criticized Microsoft’s dealing with of the problem, stating that whereas some fixes have been applied, key vulnerabilities stay exploitable.
The corporate additionally famous that Microsoft’s communication concerning these vulnerabilities was missing.
Whereas Microsoft has addressed some vulnerabilities in Azure API Administration, the remaining points spotlight the significance of staying vigilant and making use of finest practices for cloud safety.
Enterprises utilizing APIM ought to guarantee legacy APIs are disabled and take proactive steps to safe their API environments in opposition to privilege escalation assaults.
Run non-public, Actual-time Malware Evaluation in each Home windows & Linux VMs. Get a 14-day free trial with ANY.RUN!