Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

SSRF Security Feature Bypass in Azure AI and ML Studios

High

Synopsis

Tenable Research discovered an issue affecting ml.azure.com / ai.azure.com whereby an attacker could circumvent SSRF protections in order to return content from otherwise inaccessible internal addresses, such as localhost/127.0.0.1.

Certain API endpoints on ml.azure.com and ai.azure.com used for adding/viewing data connections could be leveraged for server side request forgeries (SSRF). While they do have protections to restrict making requests to internal hosts, it was possible to circumvent those protections using a 301 or 302 redirect response which points to a sensitive host.

It should be noted that localhost, as well as other internal hosts on the accessible network, appeared to be a part of shared, region-specific infrastructure supporting AI and ML services for tenants in that region.

Proof of Concept

There were a number of API endpoints which were affected by this issue, one of which was shown below. An attacker could set up an external server which, when receiving requests, always performs a 302 redirect to the desired internal host. 

We could then make a request to this attacker-controlled server via the AI/ML API and the request would be redirected, avoiding restrictions on which hosts can be reached with this API.


proof-of-concept example


In this example, the redirect is to 127.0.0.1:4191, and the requested path is “/metrics#”. This corresponds to a Linkerd (https://linkerd.io/) metrics endpoint, and would return metrics which could reveal other internal hosts and services.

Solution

Microsoft has mitigated this issue on the affected services. No customer action is
required.

Disclosure Timeline

April 30, 2024 - Tenable reports issue to MSRC
April 30, 2024 - MSRC acknowledges
May 1, 2024 - MSRC opens a case for the issue
May 6, 2024 - MSRC indicates they are investigating the issue, request additional information
May 8, 2024 - Tenable provides additional information
May 10, 2024 - MSRC confirms the issue behavior, notes that they will roll fixes out over the coming weeks
June 4, 2024 - MSRC informs Tenable that the issue has been mitigated
June 17, 2024 - Advisory published

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2024-22
Credit:
Evan Grant
Jimi Sebree
Liv Matan
Affected Products:
ai.azure.com
ml.azure.com
Risk Factor:
High

Advisory Timeline

June 17, 2024 - Initial Advisory Published
June 17, 2024 - Updated with reference to MSRC Blog