Microsoft has fixed vulnerabilities in four separate services of its Azure cloud platform, two of which could have allowed attackers to perform a server-side request forgery (SSRF) attack — and thus potentially execute remote code execution — even without authentication to a legitimate account, researchers have found.
Researchers from Orca Security identified four Azure services vulnerable to SSRF — Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins, they revealed in a blog post published Jan. 17. Further, they were able to exploit the flaws in Azure Functions and Azure Digital Twins by sending requests in the server’s name even without having to authenticate to an Azure account, they said.
