Cross-Tenant Resource Manipulation in Azure OpenAI Service via API Authorization Bypass
Overview
An improper access control vulnerability was found in the Azure OpenAI Service's backend management API, allowing an authenticated user to view and delete resources belonging to other Azure tenants. The flaw was located in the API endpoints responsible for managing fine-tuned model deployments. When a request to delete a deployment was received, the service correctly validated the user's authentication token but failed to verify that the specified deployment ID belonged to the same Azure tenant as the user making the request. An attacker who had authenticated to their own Azure account could craft a direct API call, iterating through deployment IDs to discover and delete fine-tuned models owned by other organizations. This could lead to a significant denial of service, financial loss due to the cost of retraining models, and potential data privacy implications if metadata contained sensitive information. The root cause was a missing authorization check in the API logic. Microsoft's security team discovered the issue during an internal audit and deployed a fix before it was seen to be exploited in the wild.
Affected Systems
Testing Guide
1. This vulnerability was server-side and has been patched by Microsoft. It is no longer possible to test for this specific flaw. 2. You can verify your security posture by reviewing the IAM roles assigned to your Azure OpenAI resources. Ensure that only authorized principals have permissions like `Microsoft.CognitiveServices/accounts/deployments/delete`.
Mitigation Steps
1. **No User Action Required**: Microsoft has patched the vulnerability on the service side. All customers are protected automatically. 2. **Enable Resource Locks**: As a general best practice, apply 'CanNotDelete' resource locks in Azure on critical OpenAI deployments to prevent accidental or malicious deletion, even by authorized users. 3. **Monitor Audit Logs**: Regularly review Azure Monitor and Activity Logs for your OpenAI resources. Look for any unexpected or unauthorized API calls, particularly for deletion or modification of fine-tuned models and deployments. 4. **Use Scoped Permissions**: Adhere to the principle of least privilege. Grant users and service principals the narrowest set of permissions required for their roles, avoiding broad 'Contributor' or 'Owner' roles where possible.
Patch Details
The vulnerability was fixed on the Azure backend by Microsoft. No client-side updates are needed.