Orca Security announces newly discovered Microsoft Azure vulnerabilities

January 30 2023

Orca Security, a cybersecurity research organization, announced that its researchers have uncovered new Azure security vulnerabilities. The vulnerability involved server-side request forgery (SSRF), that Orca promptly reported to the Microsoft Security Response Center.

According to Orca, the vulnerability affected four services: API Management, Functions, Machine Learning, and Digital Twins. The researchers were able to exploit two vulnerabilities without requiring authentication, sending requests in place of the server without an Azure account. Attackers could, in theory, scan local ports, files, and endpoints to plan a broader attack.

Microsoft implemented several SSRF countermeasures in 2020, including requirements to access an instance metadata service endpoint, as well as Identity Header for App Service and Functions.

About MSCN Reporter

More about MSCN Reporter