A recent discovery has brought to light a significant vulnerability in Azure API Management (APIM), posing a risk of privileges escalation and unauthorized access to sensitive information. This flaw stems from a loophole in the Azure Resource Manager (ARM) API, which can open the door for attackers to gain access to critical resources without proper authorization.

The issue at hand revolves around the ARM API, which is responsible for managing Azure resources, including APIM instances. Generally, users with Reader permissions are restricted from certain actions when accessing an APIM resource through the ARM API. However, older versions of the ARM API inadvertently allowed users with Reader access to view all subscription keys, read client credentials of identity provider service principals, and access keys for the Direct Management API.

To address this vulnerability, Microsoft introduced a feature to enforce a minimum ARM API version, effectively blocking the older, vulnerable versions. By setting this restriction to an API version newer than 2020, users with Reader access are now prevented from viewing subscription keys and other sensitive information. Despite these efforts, there was a bug that bypassed these restrictions, allowing access to admin user keys.

The Direct Management API is a critical component of an APIM instance, enabling operations on entities like users, groups, products, and subscriptions. An Admin user typically holds extensive permissions over these entities by default. The vulnerability lies in the ability of users with Reader privileges to exploit an overlooked ARM API endpoint and gain unauthorized access. Attackers could potentially retrieve admin user keys and generate Shared Access Signatures (SAS) by crafting specific requests and exploiting the vulnerability.

Microsoft swiftly addressed this vulnerability by restricting the ARM API for users with Reader privileges and retroactively applying the fix to all APIM instances. However, the proactive implementation of security measures like making critical Azure resources private and accessible only from their virtual networks (VNETs) is recommended to enhance defense in depth. Organizations should also consider deploying security measures such as CI/CD runners to monitor and manage resource access.

The severity of this vulnerability was classified as vital with a security impact of elevation of privilege. As cloud environments continue to evolve, maintaining vigilance and implementing proactive security measures are crucial to safeguard sensitive data and uphold system integrity. It is imperative for organizations to stay ahead of potential threats and continuously strengthen their cybersecurity posture to mitigate risks effectively.

Source link