Cross-Tenant Data Exfiltration in Microsoft AI Studio via SSRF and Insecure Instance ID Handling
Overview
Security researchers discovered a critical vulnerability in Microsoft's Azure AI Studio that allowed for a full cross-tenant data breach, enabling attackers to access other customers' AI models, data, and sensitive configurations. The attack chain began with the discovery of a Server-Side Request Forgery (SSRF) vulnerability in the platform's networking configuration. By exploiting this SSRF, researchers were able to scan the internal Azure network. They identified an internal management server responsible for provisioning and managing storage for AI Studio workspaces. Further investigation revealed that this server used an insecure mechanism for handling instance IDs, allowing an attacker to manipulate API requests and gain control over the server's primary functionality. By sending a crafted request, the researchers were able to elevate their privileges and assume control of the internal Azure Blob Storage management server for the entire AI Studio region. This administrative access granted them the ability to list, read, and write data in the storage accounts of all other tenants within that region. The potential impact was catastrophic, allowing for widespread theft of proprietary machine learning models, sensitive training datasets, and other intellectual property from numerous organizations using the service. Microsoft was notified via responsible disclosure and rapidly patched the vulnerability by implementing stricter network segmentation, patching the SSRF flaw, and enforcing secure validation of instance IDs on the internal management server.
Affected Systems
Testing Guide
1. **Vendor Confirmation:** Confirm with your cloud provider (in this case, Microsoft) that the infrastructure has been patched and the vulnerability is mitigated. 2. **External Pentesting:** For similar cloud services, conduct regular external penetration testing focusing on multi-tenancy boundaries and internal API security. 3. **Review SSRF Defenses:** Audit your own applications for SSRF vulnerabilities, especially in services that interact with user-provided URLs or network configurations.
Mitigation Steps
1. **Apply Vendor Patches:** This vulnerability was patched by Microsoft on the service side; no user action is required for the specific fix. 2. **Network Isolation:** For self-hosted AI infrastructure, enforce strict network isolation and egress filtering for all components, especially those that process user-controllable input. 3. **Principle of Least Privilege:** Ensure internal services and APIs operate with the minimum necessary permissions and cannot access data belonging to other tenants. 4. **Secure Metadata Services:** Implement robust authentication and authorization on internal metadata and management services to prevent SSRF-based attacks.
Patch Details
Microsoft patched the vulnerability on their backend infrastructure after responsible disclosure. No specific version number is applicable to end-users.