SSRF Vulnerability in Azure OpenAI 'On Your Data' Feature Exposes Internal Services
Overview
A Server-Side Request Forgery (SSRF) vulnerability was discovered in the 'On Your Data' feature of Microsoft's Azure OpenAI Service. This feature allows users to connect their own data sources, such as Azure Blob Storage or a web URL, to an LLM for retrieval-augmented generation (RAG). Researchers found that the backend service responsible for fetching data from user-provided URLs did not properly validate and sanitize the input. By providing a specially crafted URL pointing to internal Azure metadata services or other non-public endpoints within the Azure fabric, an authenticated attacker could force the Azure service to make arbitrary HTTP requests on their behalf from its trusted internal network position. For example, an attacker could provide the URL `http://169.254.169.254/metadata/instance`, causing the service to fetch and return sensitive instance metadata. A successful exploit could allow an attacker to scan internal network ports, access internal administrative endpoints, and potentially exfiltrate metadata tokens or other sensitive service information. This vulnerability bypasses traditional network firewalls, as the malicious request originates from a trusted Microsoft service. The finding emphasizes the critical need for strict egress filtering and input validation in cloud AI services that interact with user-supplied external resources.
Affected Systems
Testing Guide
1. In the Azure OpenAI Studio, configure a new data source using the 'On Your Data' feature and select the 'URL' option. 2. As the URL, provide a unique endpoint from a web application security testing tool (e.g., Burp Collaborator, Interactsh). 3. Complete the data source setup. If the Azure service makes an HTTP request to your testing endpoint, it confirms the data fetching mechanism is working. 4. Attempt to provide an internal or non-routable IP address. If the service returns an error indicating the address is blocked or invalid, the patch is likely in place. Direct testing for SSRF against the live service is a violation of the terms of service.
Mitigation Steps
1. **Apply Microsoft Security Updates**: Microsoft has patched this vulnerability on the backend. No user action is required for the service itself, but it's critical to ensure all systems are managed according to best practices. 2. **Use Private Endpoints**: When connecting 'On Your Data' to Azure resources, use Azure Private Endpoints to ensure that data access occurs over the Azure private network and is not exposed to the public internet. 3. **Network Security Groups (NSGs)**: For data sources within a VNet, apply strict NSG rules to limit inbound and outbound traffic, only allowing connections from known, trusted IP ranges. 4. **Audit Data Source URLs**: Regularly audit the URLs and data sources configured for use with the Azure OpenAI service to ensure they point to legitimate, intended locations.
Patch Details
Microsoft patched the vulnerability on their backend infrastructure after responsible disclosure. No specific version number is applicable for the SaaS offering.