The vulnerabilities comprise url formatting bypasses and an unrestricted file upload functionality in the API Management developer portal, according to cybersecurity firm Ermetic. Microsoft has patched three new vulnerabilities in the Azure API Management service which includes two Server-Side Request Forgery (SSRF) vulnerabilities and a file upload path traversal on an internal Azure workload, according to cybersecurity firm Ermetic.The vulnerabilities were achieved through url formatting bypasses and an unrestricted file upload functionality in the API Management developer portal, Ermetic said. The cybersecurity firm identified the vulnerabilities in December and Microsoft patched them in January.The Azure API Management is a managed platform-as-a-service (PaaS) designed to let companies develop and securely manage APIs across hybrid and multicloud computing environments.“By abusing the SSRF vulnerabilities, attackers could send requests from the service’s CORS [cross-origin resource sharing] Proxy and the hosting proxy itself, access internal Azure assets, deny service, and bypass web application firewalls,” Ermetic said in a research alert Thursday, adding that via the file upload path traversal, attackers also could upload malicious files to Azure’s hosted internal workload and to self-hosted developer portals. SSRF vulnerability bypasses the previous fixOf the two separate SSRF vulnerabilities that were identified, one affected the Azure API Management CORS Proxy and the other affected the Azure API Management Hosting Proxy.The Azure API Management CORS Proxy was initially believed to be a duplicate of a previously reported vulnerability that was patched by Microsoft. However, it was later discovered that the vulnerability bypasses that initial fix. Microsoft ultimately patched the vulnerability fully in January. The SSRF vulnerabilities affected central servers that many users and organizations depend on for day-to-day operations. “Using them, attackers could fake requests from these legitimate servers, access internal services that may contain sensitive information belonging to Azure customers, and even prevent the availability of the vulnerable servers,” Ermetic said in the research.Path transverse vulnerability’s impact beyond AzureAzure does not validate the file type and path of the files uploaded on the Azure developer portal for the API Management service. “Authenticated users can traverse the path specified when uploading the files, upload malicious files to the developer portal server and possibly execute code on it using DLL hijacking, iisnode config swapping, or any other relevant attack vector,” Ermetic said.The developer portal also has a self-hosting feature indicating that the vulnerability affects not only Azure but also end users who have deployed the developer portal themselves, according to Ermetic. Recently identified vulnerabilities in AzureRecently, there have been a few other, critical vulnerabilities identified in Azure.Last month, a “by-design” flaw was identified in Microsoft Azure that could be exploited by attackers to gain access to storage accounts, move laterally in computing environments, and even execute remote code, according to research from cybersecurity firm Orca.To prevent exploits of the flaw, researchers advised that organizations should disable Azure Shared Key authorization and use Azure Active Directory authentication instead. Organizations should also implement the principle of least privilege access so that this risk can be greatly reduced, Orca said. In January, Ermetic identified a remote code execution vulnerability affecting services such as Function Apps, App Service, Logic Apps on Azure Cloud, and other cloud services. The vulnerability, dubbed EmojiDeploy, is achieved through cross-site address forgery (CSRF) on the ubiquitous software change management (SCM) service Kudu. By abusing the vulnerability, attackers can deploy malicious zip files containing a payload to the victim’s Azure application. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe