Cybersecurity researchers have disclosed a crucial security flaw impacting Microsoft’s Copilot Studio that might be exploited to entry delicate info.
Tracked as CVE-2024-38206 (CVSS rating: 8.5), the vulnerability has been described as an info disclosure bug stemming from a server-side request forgery (SSRF) assault.
“An authenticated attacker can bypass Server-Aspect Request Forgery (SSRF) safety in Microsoft Copilot Studio to leak delicate info over a community,” Microsoft mentioned in an advisory launched on August 6, 2024.
The tech large additional mentioned the vulnerability has been addressed and that it requires no buyer motion.
Tenable security researcher Evan Grant, who’s credited with discovering and reporting the shortcoming, mentioned it takes benefit of Copilot’s capability to make exterior net requests.
“Mixed with a helpful SSRF safety bypass, we used this flaw to get entry to Microsoft’s inside infrastructure for Copilot Studio, together with the Occasion Metadata Service (IMDS) and inside Cosmos DB cases,” Grant mentioned.
Put in a different way, the assault method made it attainable to retrieve the occasion metadata in a Copilot chat message, utilizing it to acquire managed id entry tokens, which might then be abused to entry different inside assets, together with gaining learn/write entry to a Cosmos DB occasion.
The cybersecurity firm additional famous that whereas the strategy doesn’t enable entry to cross-tenant info, the infrastructure powering the Copilot Studio service is shared amongst tenants, doubtlessly affecting a number of clients when having elevated entry to Microsoft’s inside infrastructure.
The disclosure comes as Tenable detailed two now-patched security flaws in Microsoft’s Azure Well being Bot Service (CVE-2024-38109, CVSS rating: 9.1), that, if exploited, might allow a malicious actor to realize lateral motion inside buyer environments and entry delicate affected person knowledge.
It additionally follows an announcement from Microsoft that it’ll require all Microsoft Azure clients to have enabled multi-factor authentication (MFA) on their accounts beginning October 2024 as a part of its Safe Future Initiative (SFI).
“MFA can be required to sign-in to Azure portal, Microsoft Entra admin middle, and Intune admin middle. The enforcement will progressively roll out to all tenants worldwide,” Redmond mentioned.
“Starting in early 2025, gradual enforcement for MFA at sign-in for Azure CLI, Azure PowerShell, Azure cell app, and Infrastructure as Code (IaC) instruments will start.”
