Azure DevOps Vulnerabilities Enable CRLF Injection and DNS Rebinding Attacks

2025-01-23

Need some ammo against Microsoft Azure? Have a customer or prospect that uses Azure DevOps? This article is for you!

The article discusses several vulnerabilities discovered in Azure DevOps, including CRLF injection and DNS rebinding attacks, which present serious security risks. The vulnerabilities allow attackers to conduct Server-Side Request Forgery (SSRF) and manipulate DNS records, potentially exposing sensitive internal services and data. Exploitation of these flaws can lead to unauthorized access, data leakage, and further attacks like cross-site scripting (XSS). To mitigate these risks, Azure DevOps users are advised to apply security patches, strengthen authentication, audit access controls, and monitor network activities.

Key Facts

Risks:

API Vulnerability, Cloud Service Provider Flaw

Keywords:

Azure DevOps, SSRF, CRLF Injection, DNS Rebinding, Cloud Security, Vulnerability

CVE:

N/A

Affected:

Azure DevOps, Azure Active Directory

Article Body

Multiple Vulnerabilities in Azure DevOps

Recent discoveries have uncovered critical security vulnerabilities within Azure DevOps, a widely used development platform. These vulnerabilities could enable attackers to inject Carriage Return Line Feed (CRLF) queries and perform DNS rebinding attacks, posing significant risks to cloud environments.

Key Vulnerabilities

Endpointproxy Vulnerability:
Type: Server-Side Request Forgery (SSRF)
Description: This vulnerability exists in the endpointproxy functionality of Azure DevOps. It allows attackers to make unauthorized requests to internal services by manipulating the url parameter in requests to the endpointproxy API. This could potentially expose sensitive internal information by communicating with internal metadata services.
Service Hooks Vulnerability:
Type: SSRF and CRLF Injection
Description: Found in the Service Hooks feature, this flaw enables attackers to inject arbitrary HTTP headers and manipulate outbound requests. An example of exploitation includes the injection of the Metadata: True header, facilitating communication with Azure metadata APIs.
DNS Rebinding Attack:
Description: This attack method was used to bypass the initial fix for the endpointproxy vulnerability. DNS rebinding manipulates DNS records to resolve a malicious hostname to different IP addresses over time, potentially granting access to internal network resources. This is particularly dangerous in cloud settings, where it could lead to exfiltration of access tokens from Azure Active Directory, especially when managed identities are enabled on virtual machines.

Potential Impacts

SSRF Attacks: Unauthorized access to internal services, potential data leakage, and possible remote code execution when combined with other vulnerabilities.
CRLF Injection: Can result in HTTP response splitting, leading to cross-site scripting (XSS) attacks, cache poisoning, and other security issues.

Mitigation Recommendations

For Azure DevOps users, it's crucial to:

Ensure systems are updated with the latest security patches.
Implement strong authentication mechanisms.
Regularly audit access controls.
Monitor network activity for unusual behavior.

These steps can help mitigate the risks associated with the discussed vulnerabilities.

https://cybersecuritynews.com/multiple-azure-devops-vulnerabilities/