You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Azure OpenAI Control Plane Bypass for Deployment resource
slug: azure-openai-controlplanebypass-deployments
cves: null
affectedPlatforms:
Azure
affectedServices:
OpenAI
Deployment resource
image: https://raw.githubusercontent.com/wiz-sec/open-cvdb/main/images/[slug].jpg
severity: Medium - CVSS, Low - Piercing
piercingIndexVector: A3:1.05/A4:1/A5:1/A6:3/A7:1.1/A8:1.1
discoveredBy:
name: Tyson Garrett
org: TrustOnCloud
domain: null
twitter: null
publishedAt: 2024/02/22
disclosedAt: 2023/10/24
exploitabilityPeriod: Ongoing
knownITWExploitation: null
summary: |
A set of Azure OpenAI authoring API’s enables the use of the service instance endpoint as opposed to management.azure.com to create, update, delete, and list/read the Azure OpenAI Deployment resource. This allows for bypass of Azure Policy for Deny/Modify effects, Resource Locks and provides you the option to use access keys instead of your Entra ID identity to do so.
manualRemediation: |
Do not use the Azure AI Developer built-in role and ensure any roles used for Microsoft.CognitiveServices namespace add the below operations to the NotDataActions section of any applicable Role Definitions.
Thanks for the submission!
Maybe we should add that there is no long term fix at the moment, because MSFT doesn't consider this design error as a security vulnerability.
@tyson-trust could you add a PR with this information? also - i'm having trouble understanding the impact of this issue and how likely it is to exploit - i think it would be useful to add a POC to the original blogpost.
title: Azure OpenAI Control Plane Bypass for Deployment resource
slug: azure-openai-controlplanebypass-deployments
cves: null
affectedPlatforms:
affectedServices:
image: https://raw.githubusercontent.com/wiz-sec/open-cvdb/main/images/[slug].jpg
severity: Medium - CVSS, Low - Piercing
piercingIndexVector: A3:1.05/A4:1/A5:1/A6:3/A7:1.1/A8:1.1
discoveredBy:
name: Tyson Garrett
org: TrustOnCloud
domain: null
twitter: null
publishedAt: 2024/02/22
disclosedAt: 2023/10/24
exploitabilityPeriod: Ongoing
knownITWExploitation: null
summary: |
A set of Azure OpenAI authoring API’s enables the use of the service instance endpoint as opposed to management.azure.com to create, update, delete, and list/read the Azure OpenAI Deployment resource. This allows for bypass of Azure Policy for Deny/Modify effects, Resource Locks and provides you the option to use access keys instead of your Entra ID identity to do so.
manualRemediation: |
Do not use the Azure AI Developer built-in role and ensure any roles used for Microsoft.CognitiveServices namespace add the below operations to the NotDataActions section of any applicable Role Definitions.
Microsoft.CognitiveServices/accounts/OpenAI/deployments/read
Microsoft.CognitiveServices/accounts/OpenAI/deployments/write
Microsoft.CognitiveServices/accounts/OpenAI/deployments/delete
detectionMethods: null
contributor: https://github.com/tyson-trust
references:
The text was updated successfully, but these errors were encountered: