Cybersecurity researchers have found two security flaws in Microsoft’s Azure Well being Bot Service that, if exploited, might allow a malicious actor to attain lateral motion inside buyer environments and entry delicate affected person knowledge.
The important points, now patched by Microsoft, might have allowed entry to cross-tenant sources throughout the service, Tenable mentioned in a brand new report shared with The Hacker Information.
The Azure AI Well being Bot Service is a cloud platform that permits builders in healthcare organizations to construct and deploy AI-powered digital well being assistants and create copilots to handle administrative workloads and interact with their sufferers.
This contains bots created by insurance coverage service suppliers to permit prospects to lookup the standing of a declare and ask questions on advantages and providers, in addition to bots managed by healthcare entities to assist sufferers discover applicable care or lookup close by medical doctors.
Tenable’s analysis particularly focuses on one facet of the Azure AI Well being Bot Service known as Data Connections, which, because the title implies, affords a mechanism for integrating knowledge from exterior sources, be it third events or the service suppliers’ personal API endpoints.
Whereas the characteristic has built-in safeguards to stop unauthorized entry to inside APIs, additional investigation discovered that these protections could possibly be bypassed by issuing redirect responses (i.e., 301 or 302 standing codes) when configuring a knowledge connection utilizing an exterior host below one’s management.
By organising the host to answer requests with a 301 redirect response destined for Azure’s metadata service (IMDS), Tenable mentioned it was doable to acquire a sound metadata response after which pay money for an entry token for administration.azure[.]com.
The token might then be used to listing the subscriptions that it supplies entry to via a name to a Microsoft endpoint that, in flip, returns an inside subscription ID, which might finally be leveraged to listing the accessible sources by calling one other API.
Individually, it was additionally found that one other endpoint associated to integrating programs that assist the Quick Healthcare Interoperability Sources (FHIR) knowledge trade format was vulnerable to the identical assault as nicely.
Tenable mentioned it reported its findings to Microsoft in June and July 2024, following which the Home windows maker started rolling out fixes to all areas. There isn’t any proof that the problem was exploited within the wild.
“The vulnerabilities elevate issues about how chatbots will be exploited to disclose delicate data,” Tenable mentioned in an announcement. “Specifically, the vulnerabilities concerned a flaw within the underlying structure of the chatbot service, highlighting the significance of conventional internet app and cloud security within the age of AI chatbots.”
The disclosure comes days after Semperis detailed an assault approach known as UnOAuthorized that enables for privilege escalation utilizing Microsoft Entra ID (previously Azure Lively Listing), together with the flexibility so as to add and take away customers from privileged roles. Microsoft has since plugged the security gap.
“A menace actor might have used such entry to carry out privilege elevation to International Administrator and set up additional technique of persistence in a tenant,” security researcher Eric Woodruff mentioned. “An attacker might additionally use this entry to carry out lateral motion into any system in Microsoft 365 or Azure, in addition to any SaaS software related to Entra ID.”
