[Contribution] Add TrendMicro Azure ML vulnerabilities

[korniko98]

Summary (give a brief description of the issue)

We investigated Azure ML, a managed MLaaS from Microsoft. Our findings talk of two broad classes of security issues, namely: Insecure logging of sensitive information: We found five instances of credentials leaking in cleartext on Compute Instances due to insecure usage of open-source components and insecure system design of how the environment was being provisioned. Sensitive information disclosure: We found a case of exposed APIs in cloud middleware leaking sensitive information from Compute Instances. Network-adjacent attackers could leverage the vulnerability after initial access to laterally move or snoop in on the commands executed using a Jupyter terminal on a Compute Instance.

References (provide links to blogposts, etc.)

https://www.blackhat.com/us-23/briefings/schedule/#uncovering-azures-silent-threats-a-journey-into-cloud-vulnerabilities-33073 http://i.blackhat.com/BH-US-23/Presentations/US-23-Surana-Uncovering-Azures-Silent-Threats.pdf?_gl=1*11qc3l2*_gcl_au*MTU0NDI0MzU5OC4xNjkxNjQ5Nzc3*_ga*MTU3MjI2MDY5MS4xNjkxNjQ5Nzc3*_ga_K4JK67TFYV*MTY5MTkxNDcwNi41LjEuMTY5MTkxNDc3OC4wLjAuMA..&_ga=2.9116469.141935915.1691649777-1572260691.1691649777

[korniko98]

One of these might be related to this.

[amccarthy-figma]

blog: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/uncovering-silent-threats-in-azure-machine-learning-service-part-I which confirms relationship with #200