Microsoft Azure OpenAI SSRF Leading to Cross-Tenant Data Access
Overview
A critical vulnerability was discovered in the Microsoft Azure OpenAI Service's 'Bring Your Own Data' feature, which allowed for a complete compromise of a shared, multi-tenant Azure service. The feature enables customers to connect their Azure OpenAI instance to an Azure AI Search index. Researchers found that the internal service responsible for this data connection was vulnerable to a Server-Side Request Forgery (SSRF) attack. By manipulating a request to a public-facing API, an attacker could force the backend service to make arbitrary HTTP requests to internal Azure network endpoints. The researchers leveraged this SSRF to send a request to an internal management API for the Azure AI Search service itself. This API, which was not intended to be exposed, provided administrative credentials in its response. With these credentials, the researchers gained full administrative access to the underlying multi-tenant Azure AI Search instance. This level of access would have allowed a malicious actor to read, modify, and delete the search indexes of every Azure customer using that shared infrastructure, leading to a catastrophic cross-tenant data breach. The vulnerability highlighted the significant risks of misconfigurations in complex cloud AI services and the potential for a flaw in one feature to compromise an entire platform.
Affected Systems
Testing Guide
This vulnerability was in Microsoft's backend infrastructure and cannot be tested by customers. Cloud service providers are responsible for the security of the underlying platform. Customers should rely on provider attestations, penetration test reports, and security notifications.
Mitigation Steps
1. **Provider Patching**: The vulnerability existed in the Azure cloud infrastructure and was patched by Microsoft. No customer action is required for this specific flaw. 2. **Network Segmentation**: For self-hosted or similar architectures, ensure that services processing external data are in a heavily segmented network and cannot access internal metadata services or management endpoints. 3. **Egress Filtering**: Implement strict egress filtering rules to prevent backend services from making unauthorized network connections to internal or external endpoints. 4. **Cloud Security Posture Management**: Continuously monitor cloud environments for security misconfigurations and overly permissive network rules.
Patch Details
Microsoft deployed a patch to their backend infrastructure in August 2023, shortly after responsible disclosure by security researchers. The fix prevents the SSRF and secures the internal management endpoint.