The vulnerabilities comprise url formatting bypasses and an unrestricted file upload functionality in the API Management developer portal, according to cybersecurity firm Ermetic. Microsoft has patched three new vulnerabilities in the Azure API Management service which includes two Server-Side Request Forgery (SSRF) vulnerabilities and a file upload path traversal on an internal Azure workload, according to cybersecurity firm Ermetic.The vulnerabilities were achieved through url formatting bypasses and an unrestricted file upload functionality in the API Management developer portal, Ermetic said. The cybersecurity firm identified the vulnerabilities in December and Microsoft patched them in January.The Azure API Management is a managed platform-as-a-service (PaaS) designed to let companies develop and securely manage APIs across hybrid and multicloud computing environments. “By abusing the SSRF vulnerabilities, attackers could send requests from the service’s CORS [cross-origin resource sharing] Proxy and the hosting proxy itself, access internal Azure assets, deny service, and bypass web application firewalls,” Ermetic said in a research alert Thursday, adding that via the file upload path traversal, attackers also could upload malicious files to Azure’s hosted internal workload and to self-hosted developer portals. SSRF vulnerability bypasses the previous fixOf the two separate SSRF vulnerabilities that were identified, one affected the Azure API Management CORS Proxy and the other affected the Azure API Management Hosting Proxy.The Azure API Management CORS Proxy was initially believed to be a duplicate of a previously reported vulnerability that was patched by Microsoft. However, it was later discovered that the vulnerability bypasses that initial fix. Microsoft ultimately patched the vulnerability fully in January. The SSRF vulnerabilities affected central servers that many users and organizations depend on for day-to-day operations. “Using them, attackers could fake requests from these legitimate servers, access internal services that may contain sensitive information belonging to Azure customers, and even prevent the availability of the vulnerable servers,” Ermetic said in the research.Path transverse vulnerability’s impact beyond AzureAzure does not validate the file type and path of the files uploaded on the Azure developer portal for the API Management service. “Authenticated users can traverse the path specified when uploading the files, upload malicious files to the developer portal server and possibly execute code on it using DLL hijacking, iisnode config swapping, or any other relevant attack vector,” Ermetic said.The developer portal also has a self-hosting feature indicating that the vulnerability affects not only Azure but also end users who have deployed the developer portal themselves, according to Ermetic. Recently identified vulnerabilities in AzureRecently, there have been a few other, critical vulnerabilities identified in Azure.Last month, a “by-design” flaw was identified in Microsoft Azure that could be exploited by attackers to gain access to storage accounts, move laterally in computing environments, and even execute remote code, according to research from cybersecurity firm Orca.To prevent exploits of the flaw, researchers advised that organizations should disable Azure Shared Key authorization and use Azure Active Directory authentication instead. Organizations should also implement the principle of least privilege access so that this risk can be greatly reduced, Orca said. In January, Ermetic identified a remote code execution vulnerability affecting services such as Function Apps, App Service, Logic Apps on Azure Cloud, and other cloud services. The vulnerability, dubbed EmojiDeploy, is achieved through cross-site address forgery (CSRF) on the ubiquitous software change management (SCM) service Kudu. By abusing the vulnerability, attackers can deploy malicious zip files containing a payload to the victim’s Azure application. Related content how-to Download the hybrid cloud data protection enterprise buyer’s guide From the editors of our sister publication Network World, this enterprise buyer’s guide helps network and security IT staff understand the issues their organizations face around protecting corporate data in a hybrid cloud environment and how to By Neal Weinberg May 20, 2024 1 min Cloud Security Data and Information Security Enterprise Buyer’s Guides news analysis Global stability issues alter cyber threat landscape, ESET reports With conflict on the rise, regional APT groups are increasing activity, altering focus, and putting specific industries in their crosshairs. Here’s what CISOs should know. By Evan Schuman May 20, 2024 4 mins Advanced Persistent Threats Cyberattacks Threat and Vulnerability Management feature The inside story of Cyber Command’s creation Cartoons, Starbucks cards, and Hollywood storyboards: The ‘Four Horsemen of Cyber’ — CISA’s Jen Easterly, Lt. Gen. S.L. Davis, retired US Navy Vice Admiral T.J. White, and former NSA chief Paul Nakasone — revealed at RSA By Cynthia Brumfield May 20, 2024 8 mins Aerospace and Defense Industry CSO and CISO Military news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe