Vulnerabilities Found in Microsoft's MCP Servers
The author audited three open-source MCP (Model Context Protocol) servers used for Azure integration and found over 20 vulnerabilities across 6 vulnerability classes, including a critical SQL injection flaw.
Why it matters
The vulnerabilities found in the MCP servers could have a significant impact on Azure tenants, as the servers connect to critical Azure resources like databases, key vaults, and DevOps pipelines.
Key Points
- 1The MCP servers connect large language models (LLMs) to production Azure resources, creating a new attack surface
- 2A SQL injection vulnerability with a CVSS score of 9.8 was found in the PostgreSQL service, but not in the MySQL service
- 3The author discovered multiple unpatched variants of a previously fixed vulnerability in the MCP servers
Details
The author audited three MCP servers developed by Microsoft: azure-mcp, mcp, and azure-devops-mcp. These servers are used by developers to connect AI agents to Azure infrastructure, with over 5,400 GitHub stars combined. The author found over 20 vulnerabilities, including a critical SQL injection flaw with a CVSS score of 9.8 in the PostgreSQL service. This vulnerability was not present in the MySQL service, despite the two services sharing the same codebase. The author also discovered 7 unpatched variants of a previously fixed vulnerability. The MCP servers are a new attack surface because they allow large language models (LLMs) to process untrusted data and call the servers with attacker-controlled parameters, leading to potential data exfiltration, destruction, or lateral movement.
No comments yet
Be the first to comment