webapp: Tenant can create Azure products from other regions not belonging to their subscription via Azure Classic/Modern CLIs

Summary: Tenant can create Azure products from other regions not belonging to their subscription via Azure Classic/Modern CLIs.

Description: I was testing classic Azure CLI (version 0.10.20) for actually automating my pentesting tools like creating TrafficManager profiles, Cloud services and Azure websites.

While I was looking syntax for making Azure websites, I noticed that it was actually returning more locations then what was available on portal edition.

I noticed that portal edition was giving me this regions as available regions with total amount of 29:

"North Europe"

"West Europe"

"Southeast Asia"

"East Asia"

"West US"

"East US"

"Japan West"

"Japan East"

"East US 2"

"North Central US"

"South Central US"

"Brazil South"

"Australia East"

"Australia Southeast"

"Central India"

"West India"

"South India"

"Canada Central"

"Canada East"

"West Central US"

"West US 2"

"UK West"

"UK South"

"Korea South"

"Korea Central"

"France Central"

"Australia Central"

"South Africa North"

Meanwhile CLI edition was giving this regions with following command “azure site location list” with total amount of 35:

"North Europe"

"West Europe"

"Southeast Asia"

"East Asia"

"West US"

"East US"

"Japan West"

"Japan East"

"East US 2"

"North Central US"

"South Central US"

"Brazil South"

"Australia East"

"Australia Southeast"

"Central India"

"West India"

"South India"

"Canada Central"

"Canada East"

"West Central US"

"West US 2"

"UK West"

"UK South"

"Korea South"

"Korea Central"

"France South"

"France Central"

"Australia Central 2"

"Australia Central"

"South Africa North"

"South Africa West"

"Switzerland North"

"Germany West Central"

"UAE Central"

For testing purposes I created Azure website on “Germany West Central” region which wasn’t available on my subscription with following name: “tLzZxX” which could be accessed on http://tLzZxX.azurewebsites.net

During creation it actually gave me an error and indicated that even it was facing an error website potentially created,

When I visited my app service plans unfortunately there wasn’t such profile listed under.

Furthermore I tested new modern CLI (version 2.0.76) and it was giving same amount of locations with following command “az appservice list-locations --sku F1”.

Supporting materials:

Subscription ID of Azure tenant: “ffc6d1bc-66b2-4800-8a25-519ea15949f6”

Azure Classic CLI version: 0.10.20

Azure Modern CLI version: 2.0.76

Azure website created on non available region: tLzZxX @ http://tLzZxX.azurewebsites.net

Impact: As mentioned above while this is more like functional issue more than security impact, this could still lead user to create apps at regions not available on their subscription and causing them to unable to delete them as well as potential issues on backend.

Extra Info: This was reported to MSRC but since this is functional issue they closed case (VULN-012626 CRM:0469000267) and requested me to report it via here like 2 months ago but didn’t have a time so this is exact copy of my report and issue is still persisting.