Impact

The Open-source Azure IPAM solution was designed for customers to gain visibility to data about their IP address management and utilization within Azure. By design the solution has no write access to customers' Azure environments as the Service Principal used is only assigned the Reader role at the Root Management Group level (when deployed using the provided script in the GitHub repo). Until recently, the solution lacked the validation of the passed in authentication (JWT) token which may result in attacker impersonating any privileged user to access data stored within the IPAM instance and subsequently from Azure, causing an elevation of privilege.

Patches

This issue was patched in the code merged into the main branch on 12/22/2023 (PR #218).

• For Azure IPAM instances running using the publicly hosted container images, simply restart your Azure App Service to obtain the patched images.
• For Azure IPAM instances running using a private Azur Container Registry, pull down the latest code from the main branch and build/push new containers using the process from our guide.
• For all other custom deployments, please follow your internal process to update your container images using the latest code from the main branch on or after 12/22/2023.

Workarounds

Here are several options which can be used to secure your Azure IPAM deployment until an upgrade can be performed:

• Setup access restrictions on your Azure IPAM App Service to limit connectivity from known good IP addresses.
• Create a private endpoint for your App Service so that only private, trusted traffic can reach your Azure IPAM instance.
• Stop your App Service running the Azure IPAM solution until an upgrade to the patched code can be completed.

References

N/A