This is a paper about a vulnerability and how it works
The attack that this paper will cover is the SSRF attack on Microsoft Azure cloud systems. The attack was done by a vulnerability company Ocra on the Microsoft system. They found that four areas of the Azure system were vulnerable to a SSRF attack.
First, Ocra is a cloud platform security company that looks to find vulnerabilities of cloud platform systems(Ocra security). The company found four vulnerable areas in the Microsoft Azure cloud system. The four parts to be found vulnerable were Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins(purplesec). The four vulnerable areas were found that three were considered at an important level and the last one was found to be considered low(purplesec). The machine learning section was the one that was deemed a low priority, because it was deemed to have very little chance to access important data or tokens. The others were deemed important level access and needed to be researched and patched.
SSRF stands for server-side request forgery. This type of attack is broke up into three types. The first type of server-side request forgery is a totally blind type. The blind type is where the attacker uses the server but does not receive any return information. The fact that the attacker does not receive return information, it is hard for the attacker to know if the attack was a good one. The second type of server-side request forgery is what is called a semi-blind attack. This type of server-side request forgery will return limited information to the attacker. This give the attacker some information about the system. The third type of server-side request forgery is non-blind type. This type is where the attacker totally controls the server request and can receive full responses to the request. The company found that the vulnerabilities were to be of the non-blind type. The ssrf attacks can be used to attack server-side applications to be gain access if not stopped, to sensitive data.
The following diagram provided by Orca security website shows how the SSRF flow would work.
How does a Server-Side Request Forgery (SSRF) attack work?
In the diagram below, we show the different communication flows between the attacker, the vulnerable server and a web server in an SSRF attack.
- The first arrow represents the initial request being sent from the attacker to the vulnerable server. This request is crafted by the attacker in an attempt to exploit a Server-Side Request Forgery (SSRF) vulnerability on the vulnerable server.
- The second arrow represents the vulnerable server forwarding the request to a web server. This occurs because the vulnerable server is able to make requests to external servers due to the SSRF vulnerability.
- The third arrow represents the response from the web server being sent back to the vulnerable server.
- The fourth and final arrow represents the response from the vulnerable server sent back to the attacker. This response includes any information that the attacker was able to retrieve from the web server through the exploitation of the SSRF vulnerability.
The attackers were able to access two of the Azure services without authentication. This was found in the Twins and Function services. The fact that they could access without authentication or an account. An attacker can use the entry to gain information on end points and port scanning to figure out where they can attack in the future to gain access. The ssrf is dangerous because if not stopped the attacker can gain access to metadata. This metadata may give the attacker the directions to where the secure data they are looking for is located.
This type of vulnerability is very relevant to today because of the use of cloud based everything. The spreading use of cloud-based applications for both home and business makes this type of vulnerability very dangerous. This vulnerability shows that the malicious attackers are still outpacing the makers of the software and hardware companies. This is still true since the start of the technology explosion in the last few decades. The good thing for Microsoft in this case was that it was found by a security company and not by a malicious attacker that we know of. The fact that two important services on the cloud were able to be accessed without an account or authentication shows that companies are still vulnerable. The company that found the vulnerabilities were able to contact Microsoft and let them know of them. Microsoft did offer patches for these soon after they were informed. Microsoft had to offer patches, plus change how the information would be and had to be authenticated.
These vulnerabilities show the need for companies and people to be proactive in their security. The vulnerabilities were patched but companies still could have stopped them with add on security suites. These suites are provided by third parties and as pay for add on with the use of the cloud service providers. The attacks show the need for further use for authentication in the data security world. The world needs access to data for the internet of things to work. The need to make sure this data is being accessed by the correct people is even more paramount. The attacks show how companies have to keep their security suites and programs up to date. They need to have the patches for their programs up to date. The security team needs to have programs with software or hardware to monitor traffic on their networks. One website offered two specific types of security rules to use to help protect against this type of malicious attack. They say to set to never trust user input and to have a white list of URLs that are allowed through(darkreading). Attacks on networks in the internet of things environment are growing and evolving everyday. The need for more white hat hacker type companies are growing. This type of security testing can help more than ever. The attacks can help find new vulnerabilities in our networks. These companies can help find these issues hopefully before they become issues. These vulnerabilities were found and the company patched them in a very timely matter. The patches hopefully and so far have stopped malicious attackers from exploiting a vulnerability in this cloud-based network. These white hat security companies need to be employed or rewarded for helping companies find the problems. The vulnerabilities also show the continuing need for companies to spend the capital on internal security teams or on external security teams to keep their networks up and running. The security of the internet of things is becoming more and more important for the running of economies around the world and to running of governments. Therefore everyone needs to keep and practice good security to keep the world running.
References
https://purplesec.us/security-insights/data-breaches/