Cybersecurity researchers have disclosed a crucial safety flaw impacting Microsoft’s Copilot Studio that could possibly be exploited to entry delicate info.
Tracked as CVE-2024-38206 (CVSS rating: 8.5), the vulnerability has been described as an info disclosure bug stemming from a server-side request forgery (SSRF) assault.
“An authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio to leak sensitive information over a network,” Microsoft mentioned in an advisory launched on August 6, 2024.
The tech large additional mentioned the vulnerability has been addressed and that it requires no buyer motion.
Tenable safety researcher Evan Grant, who’s credited with discovering and reporting the shortcoming, mentioned it takes benefit of Copilot’s skill to make exterior internet requests.
“Combined with a useful SSRF protection bypass, we used this flaw to get access to Microsoft’s internal infrastructure for Copilot Studio, including the Instance Metadata Service (IMDS) and internal Cosmos DB instances,” Grant mentioned.
Put in another way, the assault method made it potential to retrieve the occasion metadata in a Copilot chat message, utilizing it to acquire managed identification entry tokens, which may then be abused to entry different inside assets, together with gaining learn/write entry to a Cosmos DB occasion.
The cybersecurity firm additional famous that whereas the strategy doesn’t enable entry to cross-tenant info, the infrastructure powering the Copilot Studio service is shared amongst tenants, probably affecting a number of prospects when having elevated entry to Microsoft’s inside infrastructure.
The disclosure comes as Tenable detailed two now-patched safety flaws in Microsoft’s Azure Well being Bot Service (CVE-2024-38109, CVSS rating: 9.1), that, if exploited, may allow a malicious actor to realize lateral motion inside buyer environments and entry delicate affected person information.
It additionally follows an announcement from Microsoft that it’ll require all Microsoft Azure prospects to have enabled multi-factor authentication (MFA) on their accounts beginning October 2024 as a part of its Safe Future Initiative (SFI).
“MFA will be required to sign-in to Azure portal, Microsoft Entra admin center, and Intune admin center. The enforcement will gradually roll out to all tenants worldwide,” Redmond mentioned.
“Beginning in early 2025, gradual enforcement for MFA at sign-in for Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools will commence.”
