The vulnerabilities comprise url formatting bypasses and an unrestricted file upload functionality in the API Management developer portal, according to cybersecurity firm Ermetic. Microsoft has patched three new vulnerabilities in the Azure API Management service which includes two Server-Side Request Forgery (SSRF) vulnerabilities and a file upload path traversal on an internal Azure workload, according to cybersecurity firm Ermetic.The vulnerabilities were achieved through url formatting bypasses and an unrestricted file upload functionality in the API Management developer portal, Ermetic said. The cybersecurity firm identified the vulnerabilities in December and Microsoft patched them in January.The Azure API Management is a managed platform-as-a-service (PaaS) designed to let companies develop and securely manage APIs across hybrid and multicloud computing environments.“By abusing the SSRF vulnerabilities, attackers could send requests from the service’s CORS [cross-origin resource sharing] Proxy and the hosting proxy itself, access internal Azure assets, deny service, and bypass web application firewalls,” Ermetic said in a research alert Thursday, adding that via the file upload path traversal, attackers also could upload malicious files to Azure’s hosted internal workload and to self-hosted developer portals. SSRF vulnerability bypasses the previous fixOf the two separate SSRF vulnerabilities that were identified, one affected the Azure API Management CORS Proxy and the other affected the Azure API Management Hosting Proxy.The Azure API Management CORS Proxy was initially believed to be a duplicate of a previously reported vulnerability that was patched by Microsoft. However, it was later discovered that the vulnerability bypasses that initial fix. Microsoft ultimately patched the vulnerability fully in January. The SSRF vulnerabilities affected central servers that many users and organizations depend on for day-to-day operations. “Using them, attackers could fake requests from these legitimate servers, access internal services that may contain sensitive information belonging to Azure customers, and even prevent the availability of the vulnerable servers,” Ermetic said in the research.Path transverse vulnerability’s impact beyond AzureAzure does not validate the file type and path of the files uploaded on the Azure developer portal for the API Management service. “Authenticated users can traverse the path specified when uploading the files, upload malicious files to the developer portal server and possibly execute code on it using DLL hijacking, iisnode config swapping, or any other relevant attack vector,” Ermetic said.The developer portal also has a self-hosting feature indicating that the vulnerability affects not only Azure but also end users who have deployed the developer portal themselves, according to Ermetic. Recently identified vulnerabilities in AzureRecently, there have been a few other, critical vulnerabilities identified in Azure.Last month, a “by-design” flaw was identified in Microsoft Azure that could be exploited by attackers to gain access to storage accounts, move laterally in computing environments, and even execute remote code, according to research from cybersecurity firm Orca.To prevent exploits of the flaw, researchers advised that organizations should disable Azure Shared Key authorization and use Azure Active Directory authentication instead. Organizations should also implement the principle of least privilege access so that this risk can be greatly reduced, Orca said. In January, Ermetic identified a remote code execution vulnerability affecting services such as Function Apps, App Service, Logic Apps on Azure Cloud, and other cloud services. The vulnerability, dubbed EmojiDeploy, is achieved through cross-site address forgery (CSRF) on the ubiquitous software change management (SCM) service Kudu. By abusing the vulnerability, attackers can deploy malicious zip files containing a payload to the victim’s Azure application. Related content brandpost Shifting security left: DevSecOps meets virtualization By Anthony Ricco, CMO of Corellium. 01 Jul 2023 4 mins Security news analysis Attackers add hacked servers to commercial proxy networks for profit Proxyjacking allows attackers to sell unknowing victims' unused network bandwidth. By Lucian Constantin 30 Jun 2023 4 mins Cybercrime news Command-and-control framework PhonyC2 attributed to Iran’s Muddywater group PhonyC2 was used to exploit the log4j vulnerability in the Israeli software SysAid, the attack against Israel’s Technion institute, and the ongoing attack against the PaperCut print management software. By Apurva Venkat 30 Jun 2023 4 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news First state-sponsored cyberattack against UK government revealed two decades later Rare insight marks the 20th anniversary of a state-backed malware attack on a UK government department. By Michael Hill 30 Jun 2023 3 mins Cyberattacks Government Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe