[Contribution] Azure OpenAI Control Plane Bypass for Deployment resource

[tyson-trust]

title: Azure OpenAI Control Plane Bypass for Deployment resource slug: azure-openai-controlplanebypass-deployments cves: null affectedPlatforms:

• Azure affectedServices:
• OpenAI
• Deployment resource image: https://raw.githubusercontent.com/wiz-sec/open-cvdb/main/images/[slug].jpg severity: Medium - CVSS, Low - Piercing piercingIndexVector: A3:1.05/A4:1/A5:1/A6:3/A7:1.1/A8:1.1 discoveredBy: name: Tyson Garrett org: TrustOnCloud domain: null twitter: null publishedAt: 2024/02/22 disclosedAt: 2023/10/24 exploitabilityPeriod: Ongoing knownITWExploitation: null summary: | A set of Azure OpenAI authoring API’s enables the use of the service instance endpoint as opposed to management.azure.com to create, update, delete, and list/read the Azure OpenAI Deployment resource. This allows for bypass of Azure Policy for Deny/Modify effects, Resource Locks and provides you the option to use access keys instead of your Entra ID identity to do so.

manualRemediation: | Do not use the Azure AI Developer built-in role and ensure any roles used for Microsoft.CognitiveServices namespace add the below operations to the NotDataActions section of any applicable Role Definitions.

Microsoft.CognitiveServices/accounts/OpenAI/deployments/read Microsoft.CognitiveServices/accounts/OpenAI/deployments/write Microsoft.CognitiveServices/accounts/OpenAI/deployments/delete

detectionMethods: null contributor: https://github.com/tyson-trust references:

• https://trustoncloud.com/how-i-bypassed-the-control-plane-in-azure-openai/

[labyrinthinesecurity]

Thanks for the submission! Maybe we should add that there is no long term fix at the moment, because MSFT doesn't consider this design error as a security vulnerability.

[korniko98]

@tyson-trust could you add a PR with this information? also - i'm having trouble understanding the impact of this issue and how likely it is to exploit - i think it would be useful to add a POC to the original blogpost.