Multiple vulnerabilities have been uncovered by the security researchers in Azure DevOps that could allow attackers to inject CRLF queries and perform DNS rebinding attacks.
These flaws, discovered by Binary Security during a client engagement, highlight significant security risks in the popular development platform.
The first vulnerability, found in the ‘endpointproxy’ functionality of Azure DevOps, allows for Server-Side Request Forgery (SSRF).
.png
)
This flaw enables attackers to make requests to internal services, potentially exposing sensitive information. The researcher demonstrated that by manipulating the ‘url’ parameter in requests to the endpointproxy API, it was possible to communicate with internal metadata services.
A second vulnerability was identified in the Service Hooks feature of Azure DevOps.
This flaw allows for both SSRF and Carriage Return Line Feed (CRLF) injection. By exploiting this vulnerability, attackers could inject arbitrary HTTP headers and manipulate outbound requests.
The researcher successfully demonstrated injecting the ‘Metadata: True’ header, which is required to communicate with most Azure metadata APIs.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Technical Analysis
Perhaps most alarmingly, the initial fix for the endpointproxy vulnerability was bypassed using DNS rebinding techniques.
This attack method involves manipulating DNS records to resolve a malicious hostname to different IP addresses over time, potentially allowing access to internal network resources.
DNS rebinding is particularly dangerous in cloud environments. As organizations increasingly move their infrastructure to the cloud, this attack vector becomes more relevant.
In Azure environments, successful exploitation could lead to the exfiltration of access tokens from Azure Active Directory, especially when managed identities are enabled on virtual machines.
The impact of these vulnerabilities could be severe. SSRF attacks can lead to unauthorized access to internal services, data leakage, and in some cases, remote code execution when combined with other vulnerabilities.
CRLF injection can result in HTTP response splitting, potentially leading to cross-site scripting (XSS) attacks, cache poisoning, and other security issues.
Microsoft has acknowledged these vulnerabilities and awarded bounties totaling $15,000 to the researcher.
For Azure DevOps users, it’s crucial to ensure all systems are updated with the latest security patches.
Additionally, implementing strong authentication mechanisms, regularly auditing access controls, and monitoring for unusual network activity can help mitigate the risks associated with these types of vulnerabilities.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
