Tuesday, November 12, 2024
HomeAzureAzure API Management Vulnerabilities Let Attackers Escalate Privileges

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Published on

Malware protection

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could allow attackers with minimal privileges to escalate their access and take full control over the APIM service.

These vulnerabilities were reported to Microsoft, leading to some fixes. However, certain issues remain unresolved, exposing many users unless they manually disable legacy API versions.

Vulnerabilities in Azure API Management

Azure API Management is Microsoft’s cloud-based offering for managing APIs at scale.

- Advertisement - SIEM as a Service

It provides features like API definition, security policies, and rate limiting essential for enterprise-grade API management.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

However, vulnerabilities in the older versions of its Azure Resource Manager (ARM) API have exposed a significant attack vector for privilege escalation.

Vulnerabilities in Azure API Management

The primary issue revolves around the use of older API versions. Despite Microsoft’s updates, old versions of the ARM API are still accessible and can be exploited by attackers.

These APIs allow users with Reader permissions—only meant to have read-only access—to perform actions reserved for administrators. These actions include:

  • Deploying new APIs
  • Modifying existing APIs
  • Reading sensitive secrets and subscription keys

A notable vulnerability involves subscription keys, secrets used to grant access to APIs in APIM.

Attackers with Reader privileges can dump all subscription keys by manipulating API calls to older ARM API versions, bypassing restrictions Microsoft introduced in newer versions.

For example, an outdated API call like the one shown below can retrieve all subscription keys:

GET /Microsoft.ApiManagement/service/tmp-apim-sf/subscriptions?api-version=2014-02-14&$top=20 HTTP/1.1
Host: management.azure.com
Authorization: Bearer eyJ…

The most severe vulnerability allows attackers to escalate privileges from a Reader to a full Administrator role.

By exploiting legacy API endpoints, attackers can retrieve a Shared Access Signature (SAS) token, granting them administrative access to the APIM service.

Here’s an example of the API call that retrieves the SSO token, which can be exploited to gain full control:

GET /providers/Microsoft.ApiManagement/service/tmp-apim-sf/getssotoken?api-version=2016-07-07 HTTP/1.1
Host: management.azure.com
Authorization: Bearer eyJ…

The returned token lets the attacker authenticate as an administrator, compromising the entire service.

Microsoft has introduced a toggle called “Disable old API versions” to reduce this risk. However, the toggle is not enabled by default, leaving many APIM services vulnerable.

Binary Security criticized Microsoft’s handling of the issue, pointing out that while some fixes were implemented, key vulnerabilities remain exploitable.

The company also noted that Microsoft’s communication regarding these vulnerabilities was lacking.

While Microsoft has addressed some vulnerabilities in Azure API Management, the remaining issues highlight the importance of staying vigilant and applying best practices for cloud security.

Enterprises using APIM should ensure legacy APIs are disabled and take proactive steps to secure their API environments against privilege escalation attacks.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!



Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...