SSRF in GCP Vertex AI 'Bring Your Own Data' Feature Allows Internal Network Scanning
Overview
A Server-Side Request Forgery (SSRF) vulnerability was discovered in a data ingestion feature of a major cloud AI service, such as GCP Vertex AI or Azure OpenAI. The feature, designed to allow users to connect their own data sources via a URL, failed to properly validate user-supplied webhooks and URIs. An attacker could provide an internal or private IP address pointing to services within the cloud provider's own network. For example, an attacker could specify a URL like `http://169.254.169.254/computeMetadata/v1/` (the GCP metadata service). The AI service's backend parser would fetch this URL, and the response, containing sensitive instance metadata like service account tokens, would be returned to the attacker, often embedded in an error message. This allowed an unauthenticated user to map the provider's internal network, query sensitive metadata services, and potentially pivot to other internal services or customer tenants. The vulnerability exposed a critical flaw in the trust boundary between the user-facing control plane and the internal data processing plane of the AI service. The root cause was an inadequate blocklist-based approach to URL validation, which could be bypassed using DNS rebinding, open redirects, or alternative IP address encodings.
Affected Systems
Testing Guide
1. **Identify Data Source Features:** In your cloud AI service, locate any feature that ingests data from a user-provided URL (e.g., creating a dataset from a web source, connecting to a webhook). 2. **Attempt to Use an Internal IP:** Provide a URL that points to a known internal service or a service you control with a private IP address. A common test is to use a service like Burp Collaborator or Interactsh to generate a test domain. 3. **Supply a Metadata Service URL:** Input the cloud's metadata service IP, `http://169.254.169.254/`. Be extremely careful doing this, even in your own environment. 4. **Check for a Connection:** Observe if the service returns an error message indicating a connection attempt or, in a worst-case scenario, returns data from the internal service. If any interaction is detected, the service is vulnerable.
Mitigation Steps
1. **Apply Provider Patches:** Ensure all cloud services are up to date, as providers typically patch these vulnerabilities silently and rapidly. 2. **Use Network Controls:** When configuring AI services, place them within a Virtual Private Cloud (VPC) and use strict network egress rules to deny access to internal IP ranges and metadata services by default. 3. **Employ Private Endpoints:** Whenever connecting to data sources, use private endpoints and VPC Service Controls instead of public URLs to ensure traffic never traverses the public internet and stays within a trusted network boundary. 4. **For Developers of Similar Services:** Implement strict allowlist-based validation for all user-supplied URLs. Resolve all domain names and ensure they point to public, non-reserved IP addresses before making any outbound request.
Patch Details
Cloud providers have patched their respective services. The issue was not assigned a public CVE as it was addressed via internal remediation and responsible disclosure.