Binary Security reports partially fixed flaws in Azure API Management enabling privilege escalation
Take action: If you are using Azure API Management review your configuration and if possible disable the legacy API versions and monitor for their reactivation or use. Alternatively, implement cordoned off approach, with only trusted and locked down automation accessing the legacy API so they are much more difficult to exploit.
Learn More
Binary Security si reporting vulnerabilities in Microsoft’s Azure API Management (APIM) service that permit privilege escalation from the Reader role to full administrative access.
The primary issue lies in Microsoft’s legacy API versions, which, when used, allow attackers with Reader-level access to generate Single Sign-On (SSO) tokens that provide unrestricted control over the APIM Management API. These vulnerabilities enable attackers to bypass intended access restrictions and access or manipulate sensitive APIM components.
The vulnerabilities, uncovered through older versions of the Azure Resource Manager (ARM) API, expose various sensitive APIM secrets, including:
- Subscription keys
- OAuth credentials for identity provider integrations
- Integration keys (used for the Direct Management API authentication)
The most critical vulnerability involves a deprecated endpoint that can generate an administrative SSO token. With this token, attackers can gain full access to the APIM Management API, allowing them to:
- Deploy new APIs
- Modify existing APIs
- Access sensitive configuration data
- Fully control the APIM service, contrary to the expected limitations of a Reader role.
Binary Security initially reported these vulnerabilities to Microsoft in February 2023. Despite some mitigations, such as obscuring certain sensitive fields in the Azure portal, many issues related to legacy APIs remain unaddressed. Microsoft has indicated a plan to automatically disable these APIs by June 2024, but new APIM deployments currently enable legacy API versions by default.
To mitigate these vulnerabilities, Binary Security recommends:
- Restricting network-level access to management interfaces to limit exposure.
- Implementing VNETs, jump hosts, and dedicated CI/CD IP addresses for deployment.
- Disabling legacy APIs in APIM services through the Azure portal or ARM settings (properties.apiVersionConstraint.minApiVersion).
- Configuring the Management API settings to prevent older, insecure API versions from being accessible.
Organizations using Azure API Management are strongly advised to review and strengthen their security configurations, implementing these recommendations to prevent potential exploitation. Given the ability to escalate from Reader to full control, these vulnerabilities could significantly endanger sensitive resources and operations within APIM.
