Azure DevOps flaws allow CRLF injection and DNS rebinding attacks

Security researchers have uncovered multiple Azure DevOps vulnerabilities, enabling CRLF injection and DNS rebinding attacks.

Discovered by Binary Security during a client engagement, these flaws expose critical risks in the platform.

One key issue lies in the ‘endpointproxy’ functionality, which allows Server-Side Request Forgery (SSRF).

This flaw allows attackers to send requests to internal services, potentially exposing sensitive data. The researcher demonstrated that by manipulating the url parameter in requests to the endpointproxy API, it was possible to communicate with internal metadata services.

Another vulnerability was identified in the Service Hooks feature of Azure DevOps, enabling both SSRF and CRLF injection. Exploiting this flaw could allow attackers to inject arbitrary HTTP headers and manipulate outbound requests.

The researcher successfully demonstrated injecting the ‘Metadata: True’ header, which is necessary for accessing most Azure metadata APIs.

Azure DevOps flaws

The initial fix for the endpointproxy vulnerability was bypassed using DNS rebinding techniques. This attack manipulates DNS records to resolve a malicious hostname to different IP addresses, potentially granting access to internal network resources.

DNS rebinding is especially dangerous in cloud environments, as more organizations move their infrastructure to the cloud. In Azure, successful exploitation could lead to the theft of access tokens from Azure Active Directory, particularly when managed identities are enabled on virtual machines.

These vulnerabilities could have serious impacts. SSRF attacks may allow unauthorized access, data leakage, and remote code execution. CRLF injection can cause XSS, cache poisoning, and more.

Microsoft awarded $15,000 to the researcher.

Azure DevOps users should apply the latest security patches, use strong authentication, audit access controls, and monitor network activity to reduce risks.