The vulnerabilities comprise url formatting bypasses and an unrestricted file upload functionality in the API Management developer portal, according to cybersecurity firm Ermetic. Microsoft has patched three new vulnerabilities in the Azure API Management service which includes two Server-Side Request Forgery (SSRF) vulnerabilities and a file upload path traversal on an internal Azure workload, according to cybersecurity firm Ermetic.The vulnerabilities were achieved through url formatting bypasses and an unrestricted file upload functionality in the API Management developer portal, Ermetic said. The cybersecurity firm identified the vulnerabilities in December and Microsoft patched them in January.The Azure API Management is a managed platform-as-a-service (PaaS) designed to let companies develop and securely manage APIs across hybrid and multicloud computing environments.“By abusing the SSRF vulnerabilities, attackers could send requests from the service’s CORS [cross-origin resource sharing] Proxy and the hosting proxy itself, access internal Azure assets, deny service, and bypass web application firewalls,” Ermetic said in a research alert Thursday, adding that via the file upload path traversal, attackers also could upload malicious files to Azure’s hosted internal workload and to self-hosted developer portals. SSRF vulnerability bypasses the previous fixOf the two separate SSRF vulnerabilities that were identified, one affected the Azure API Management CORS Proxy and the other affected the Azure API Management Hosting Proxy.The Azure API Management CORS Proxy was initially believed to be a duplicate of a previously reported vulnerability that was patched by Microsoft. However, it was later discovered that the vulnerability bypasses that initial fix. Microsoft ultimately patched the vulnerability fully in January. The SSRF vulnerabilities affected central servers that many users and organizations depend on for day-to-day operations. “Using them, attackers could fake requests from these legitimate servers, access internal services that may contain sensitive information belonging to Azure customers, and even prevent the availability of the vulnerable servers,” Ermetic said in the research.Path transverse vulnerability’s impact beyond AzureAzure does not validate the file type and path of the files uploaded on the Azure developer portal for the API Management service. “Authenticated users can traverse the path specified when uploading the files, upload malicious files to the developer portal server and possibly execute code on it using DLL hijacking, iisnode config swapping, or any other relevant attack vector,” Ermetic said.The developer portal also has a self-hosting feature indicating that the vulnerability affects not only Azure but also end users who have deployed the developer portal themselves, according to Ermetic. Recently identified vulnerabilities in AzureRecently, there have been a few other, critical vulnerabilities identified in Azure.Last month, a “by-design” flaw was identified in Microsoft Azure that could be exploited by attackers to gain access to storage accounts, move laterally in computing environments, and even execute remote code, according to research from cybersecurity firm Orca.To prevent exploits of the flaw, researchers advised that organizations should disable Azure Shared Key authorization and use Azure Active Directory authentication instead. Organizations should also implement the principle of least privilege access so that this risk can be greatly reduced, Orca said. In January, Ermetic identified a remote code execution vulnerability affecting services such as Function Apps, App Service, Logic Apps on Azure Cloud, and other cloud services. The vulnerability, dubbed EmojiDeploy, is achieved through cross-site address forgery (CSRF) on the ubiquitous software change management (SCM) service Kudu. By abusing the vulnerability, attackers can deploy malicious zip files containing a payload to the victim’s Azure application. Related content news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security feature What should be in a company-wide policy on low-code/no-code development Low-code/no-code development could bridge the gulf of development backlogs that exists between great ideas and great execution of digital innovation. But not without security policies around areas like access control, code quality, and application vi By Ericka Chickowski Dec 06, 2023 15 mins Application Security Security Practices news analysis Cisco unveils AI-powered assistants to level up security defenses New AI-driven tools aim to simplify and bolster policies, alerts and prevention to reduce complexity when setting security policies and assess traffic without decryption. By Rosalyn Page Dec 05, 2023 5 mins Encryption Cloud Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe