Cybersecurity researchers have disclosed particulars of a now-patched vulnerability impacting the Microsoft SharePoint connector on Energy Platform that, if efficiently exploited, might permit risk actors to reap a person’s credentials and stage follow-on assaults.
This might manifest within the type of post-exploitation actions that permit the attacker to ship requests to the SharePoint API on behalf of the impersonated person, enabling unauthorized entry to delicate information, Zenity Labs mentioned in a report shared with The Hacker Information forward of publication.
“This vulnerability may be exploited throughout Energy Automate, Energy Apps, Copilot Studio, and Copilot 365, which considerably broadens the scope of potential harm,” senior security researcher Dmitry Lozovoy mentioned.
“It will increase the chance of a profitable assault, permitting hackers to focus on a number of interconnected providers inside the Energy Platform ecosystem.”
Following accountable disclosure in September 2024, Microsoft addressed the security gap, assessed with an “Necessary” severity evaluation, as of December 13.
Microsoft Energy Platform is a set of low-code growth instruments that permit customers to facilitate analytics, course of automation, and data-driven productiveness purposes.
The vulnerability, at its core, is an occasion of server-side request forgery (SSRF) stemming from the usage of the “customized worth” performance inside the SharePoint connector that allows an attacker to insert their very own URLs as a part of a move.
Nonetheless, to ensure that the assault to achieve success, the rogue person might want to have an Surroundings Maker function and the Primary Consumer function in Energy Platform. This additionally implies that they would wish to first acquire entry to a goal group by way of different means and purchase these roles.
“With the Surroundings Maker function, they will create and share malicious sources like apps and flows,” Zenity advised The Hacker Information. “The Primary Consumer function permits them to run apps and work together with sources they personal in Energy Platform. If the attacker would not have already got these roles, they would wish to realize them first.”
In a hypothetical assault state of affairs, a risk actor might create a move for a SharePoint motion and share it with a low-privileged person (learn sufferer), leading to a leak of their SharePoint JWT entry token.
Armed with this captured token, the attacker might ship requests outdoors of the Energy Platform on behalf of the person to whom entry was granted to.
That is not all. The vulnerability could possibly be prolonged additional to different providers like Energy Apps and Copilot Studio by making a seemingly benign Canvas app or a Copilot agent to reap a person’s token, and escalate entry additional.
“You’ll be able to take this even additional by embedding the Canvas app right into a Groups channel, for instance,” Zenity famous. “As soon as customers work together with the app in Groups, you possibly can harvest their tokens simply as simply, increasing your attain throughout the group and making the assault much more widespread.”
“The primary takeaway is that the interconnected nature of Energy Platform providers may end up in critical security dangers, particularly given the widespread use of the SharePoint connector, which is the place lots of delicate company information is housed, and it may be sophisticated to make sure correct entry rights are maintained all through numerous environments.”
The event comes as Binary Safety detailed three SSRF vulnerabilities in Azure DevOps that would have been abused to speak with the metadata API endpoints, thereby allowing an attacker to glean details about the machine’s configuration.
