Server-Side Request Forgery in Azure OpenAI 'On Your Data' Feature Enables Cloud Credential Exfiltration
Overview
Researchers at Wiz discovered a critical Server-Side Request Forgery (SSRF) vulnerability in the Azure OpenAI 'On Your Data' feature. This feature allows users to connect their own data sources (e.g., from Azure Blob Storage) to a language model. The vulnerability arose from improper URL validation in the backend service that retrieves and indexes user-provided data sources. An attacker could configure a data source pointing to an internal Azure IP address, specifically the Instance Metadata Service (IMDS) endpoint at `169.254.169.254`. The Azure service would then make a request to this internal endpoint on behalf of the user. By crafting a specific path, the attacker could trick the service into fetching and returning temporary managed identity credentials associated with the underlying Azure OpenAI infrastructure. These exfiltrated credentials could grant the attacker significant permissions within Microsoft's internal Azure environment, potentially allowing access to other customers' data or control over internal services. The attack required authentication but allowed for privilege escalation from a low-privileged user of the Azure OpenAI service to a highly privileged role within the cloud provider's infrastructure, demonstrating a significant security failure in a multi-tenant cloud AI service.
Affected Systems
Testing Guide
This vulnerability existed on the cloud provider's infrastructure and has been patched. It cannot be tested by end-users. However, to test for similar SSRF flaws in your own applications: 1. **Identify Input Fields**: Find any feature in your application that accepts a URL from a user and fetches data from it (e.g., importing data, webhooks, document processing). 2. **Provide Internal IPs**: Attempt to input internal or special IP addresses like `169.254.169.254`, `127.0.0.1`, or other private network IPs. 3. **Observe Application Behavior**: If the application returns data from the internal service, shows a specific error message indicating a connection was attempted, or exhibits a timing delay different from a public URL, it may be vulnerable to SSRF.
Mitigation Steps
1. **Apply Vendor Patches**: This vulnerability was patched by Microsoft on the backend. No user action is required for mitigation as the fix is applied service-side. 2. **Implement Egress Controls**: For custom-built AI applications, strictly control outbound network traffic. Use an egress proxy or network security groups to explicitly deny requests to known metadata IP addresses and other internal ranges. 3. **Use Private Endpoints**: When connecting your own data sources to cloud AI services, use private endpoints and VNet integration wherever possible to avoid exposing data connectors to the public internet. 4. **Audit Service Permissions**: Regularly review the IAM permissions granted to AI services and managed identities, ensuring they adhere to the principle of least privilege.
Patch Details
Microsoft patched the vulnerability on their backend infrastructure after responsible disclosure. No specific version number is applicable for end-users.