Cross-Tenant Data Exposure in Azure AI Services via SSRF in Managed Data Connectors
Overview
A critical vulnerability, reminiscent of the 'Leaky Previews' class of bugs, was discovered in a managed data connector feature within Azure AI Services. The feature, designed to simplify data ingestion for model training and vectorization, allowed users to specify a URL to an external data source. However, the service-side component that fetched this data lacked proper validation and segmentation, leading to a Server-Side Request Forgery (SSRF) vulnerability. A malicious, authenticated user could provide a specially crafted URL pointing to internal, non-public Azure metadata and storage endpoints instead of an external resource. By exploiting this SSRF, an attacker could force the Azure AI service to make requests on their behalf within Azure's internal network. More critically, the vulnerability could be chained with an authorization flaw. The internal service responsible for data processing ran with overly broad permissions, allowing the attacker's SSRF payload to access and retrieve data from the storage accounts of *other tenants* using the same service. An attacker could systematically enumerate internal storage resources and exfiltrate sensitive datasets, trained models, and intellectual property belonging to other Azure customers. This represented a complete breakdown of tenant isolation within the managed AI service, a worst-case scenario for a multi-tenant cloud platform.
Affected Systems
Testing Guide
1. **Review Data Source Configurations**: Audit all data connectors in your Azure AI services. Identify any that are configured to pull data from a publicly accessible URL. 2. **Attempt SSRF Test**: In a non-production environment, configure a data source to point to an SSRF testing service (e.g., a Burp Collaborator instance or a custom webhook). Observe if the service makes a request to your test endpoint. 3. **Check for Internal Metadata Access**: (Caution: only perform on your own resources in a test subscription). Try to point the data source URL to a known Azure instance metadata endpoint (`169.254.169.254`). If the service successfully fetches data from this endpoint and returns it in an error message or processed output, it is vulnerable to SSRF.
Mitigation Steps
1. **Disable or Restrict Preview Features**: Avoid using preview features for production workloads containing sensitive data until they have reached General Availability and undergone extensive security audits. 2. **Network Segmentation**: When connecting cloud services to your data, use private endpoints and VNet service endpoints to ensure traffic does not traverse the public internet and is restricted to your virtual network. 3. **Implement Strict Egress Filtering**: Configure network security groups (NSGs) and firewalls to control outbound traffic from your services, allowing connections only to a predefined list of trusted endpoints. 4. **Use Customer-Managed Keys**: Encrypt data at rest using customer-managed encryption keys (CMEK) to have greater control over data access, although this may not mitigate a vulnerability where a trusted service is compromised.
Patch Details
Microsoft patched the backend service by implementing a strict allowlist for outbound connections and improving validation and isolation for the data ingestion service. The fix was rolled out automatically to all affected regions.