{"id":4967,"date":"2024-08-21T05:59:17","date_gmt":"2024-08-21T10:59:17","guid":{"rendered":"https:\/\/www.darkreading.com\/remote-workforce\/microsoft-copilot-studio-exploit-leaks-sensitive-cloud-data"},"modified":"2024-08-21T05:59:17","modified_gmt":"2024-08-21T10:59:17","slug":"microsoft-copilot-studio-exploit-leaks-sensitive-cloud-data","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/08\/21\/microsoft-copilot-studio-exploit-leaks-sensitive-cloud-data\/","title":{"rendered":"Microsoft Copilot Studio Exploit Leaks Sensitive Cloud Data"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

Researchers have exploited a vulnerability in Microsoft\u2019s <\/span>Copilot Studio tool<\/a><\/span> allowing them to make external HTTP requests that can access sensitive information regarding internal services within a cloud environment\u2014with potential impact across multiple tenants.<\/span><\/p>\n

Tenable researchers discovered the server-side request forgery (SSRF) flaw in the chatbot creation tool, which they exploited to access Microsoft\u2019s internal infrastructure, including the Instance Metadata Service (IMDS) and internal Cosmos DB instances, they <\/span>revealed<\/a><\/span> in a blog post this week.<\/span><\/p>\n

Tracked by Microsoft as <\/span>CVE-2024-38206<\/a><\/span>, the flaw allows an authenticated attacker to bypass SSRF protection in Microsoft Copilot Studio to leak sensitive cloud-based information over a network, according to a security advisory associated with the vulnerability. The flaw exists when combining an HTTP request that can be created using the tool with an SSRF protection bypass, according to Tenable.<\/span><\/p>\n

\u201cAn SSRF vulnerability occurs when an attacker is able to influence the application into making server-side HTTP requests to unexpected targets or in an unexpected way,\u201d Tenable Security Resarcher Evan Grant explained in the post. <\/span><\/p>\n

The researchers tested their exploit to create HTTP requests to access cloud data and services from multiple tenants. They discovered that \u201cwhile no cross-tenant information appeared immediately accessible, the infrastructure used for this Copilot Studio service was shared among tenants,\u201d Grant wrote.<\/span><\/p>\n

Any impact on that infrastructure, then, could affect multiple customers, he explained. \u201cWhile we don\u2019t know the extent of the impact that having read\/write access to this infrastructure could have, it\u2019s clear that because it\u2019s shared among tenants, the risk is magnified,\u201d Grant said. The researchers also found that they could use their exploit to access other internal hosts unrestricted on the local subnet to which their instance belonged.<\/span><\/p>\n

Microsoft responded quickly to Tenable\u2019s notification of the flaw and it has since been fully mitigated, with no action required on the part of Copilot Studio users, the company said in its security advisory.<\/span><\/p>\n

How the CVE-2024-38206 Vulnerability Works<\/h2>\n

Microsoft released Copilot Studio late last year as a drag-and-drop, easy-to-use tool to create custom artificial intelligence (AI) assistants, also known as chatbots. These conversational applications allow people to perform a variety of large language model (LLM) and generative AI tasks leveraging data ingested from the Microsoft 365 environment, or any other data that the Power Platform on which the tool is built.<\/span><\/p>\n

Copilot Studio\u2019s initial release recently <\/span>was flagged<\/a><\/span> as generally \u201cway overpermissioned\u201d by security researcher Michael Bargury at this year\u2019s Black Hat conference in Las Vegas; he found 15 security issues with the tool that would allow for the creation of flawed chatbots.<\/span><\/p>\n

The Tenable researchers discovered the tool\u2019s SSRF flaw when they were looking into SSRF vulnerabilities in the APIs for Microsoft\u2019s Azure AI Studio and Azure ML Studio, which the company itself flagged and patched before the researchers could report them. The researchers then turned their investigative attention to Copilot Studio to see if it also could be exploited in a similar way.<\/span><\/p>\n

Exploiting HTTP Requests to Gain Cloud Access<\/h2>\n

When creating a new Copilot, people can define Topics, which allow them to specify key phrases that a user can say to the Copilot to elicit a specific response or action by the AI; one of the actions that can be performed via Topics is an HTTP request. Indeed, most modern apps that deal with data analysis or machine learning have the capability to make these requests, due to their need to integrate data from external services; the downside is that it can create a potential vulnerability, Grant noted.<\/span><\/p>\n

The researchers tried requesting access to various cloud resources as well as leveraging common SSRF protection bypass techniques using <\/span>HTTP requests<\/a><\/span>. While many requests yielded System Error responses, eventually the researchers pointed their request at a server they controlled and sent a 301 redirect response that pointed to the restricted hosts they had previously tried to request. And eventually through trial and error, and by combining redirects and SSRF bypasses, the resarchers managed to retrieve managed identity access tokens from the IMDS to use to access internal cloud resources, such as Azure services and a Cosmos DB instance. They also exploited the flaw to gain read\/write access to the database.<\/span><\/p>\n

Though the research proved inconclusive about the extent that the flaw could be exploited to gain access to sensitive cloud data, it was serious enough to prompt immediate mitigation. Indeed, the existence of the SSRF flaw should be <\/span>a cautionary tale<\/a><\/span> for users of Copilot Studio of the potential for attackers to abuse its HTTP-request feature to elevate their access to cloud data and resources.<\/span><\/p>\n

\u201cIf an attacker is able to control the target of those requests, they could point the request to a sensitive internal resource for which the server-side application has access even if the attacker doesn\u2019t, revealing potentially sensitive information,\u201d Grant warned.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Researchers have exploited a vulnerability in Microsoft\u2019s Copilot Studio tool<\/p>\n","protected":false},"author":12,"featured_media":4968,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-4967","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/microsoft-copilot-studio-exploit-leaks-sensitive-cloud-data.png?fit=1920%2C1080&ssl=1",1920,1080,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/microsoft-copilot-studio-exploit-leaks-sensitive-cloud-data.png?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/microsoft-copilot-studio-exploit-leaks-sensitive-cloud-data.png?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/microsoft-copilot-studio-exploit-leaks-sensitive-cloud-data.png?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/microsoft-copilot-studio-exploit-leaks-sensitive-cloud-data.png?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/microsoft-copilot-studio-exploit-leaks-sensitive-cloud-data.png?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/microsoft-copilot-studio-exploit-leaks-sensitive-cloud-data.png?fit=1920%2C1080&ssl=1",1920,1080,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/microsoft-copilot-studio-exploit-leaks-sensitive-cloud-data.png?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/microsoft-copilot-studio-exploit-leaks-sensitive-cloud-data.png?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/microsoft-copilot-studio-exploit-leaks-sensitive-cloud-data.png?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/microsoft-copilot-studio-exploit-leaks-sensitive-cloud-data.png?fit=1920%2C1080&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4967","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4967"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4967\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/4968"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4967"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4967"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4967"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}