Cybersecurity researchers have disclosed particulars of a now-patched vulnerability impacting the Microsoft SharePoint connector on Energy Platform that, if efficiently exploited, might enable risk actors to reap a consumer’s credentials and stage follow-on assaults.
This might manifest within the type of post-exploitation actions that enable the attacker to ship requests to the SharePoint API on behalf of the impersonated consumer, enabling unauthorized entry to delicate knowledge, Zenity Labs stated in a report shared with The Hacker Information forward of publication.
“This vulnerability can be exploited across Power Automate, Power Apps, Copilot Studio, and Copilot 365, which significantly broadens the scope of potential damage,” senior safety researcher Dmitry Lozovoy stated.
“It increases the likelihood of a successful attack, allowing hackers to target multiple interconnected services within the Power Platform ecosystem.”
Following accountable disclosure in September 2024, Microsoft addressed the safety gap, assessed with an “Important” severity evaluation, as of December 13.
Microsoft Energy Platform is a group of low-code growth instruments that enable customers to facilitate analytics, course of automation, and data-driven productiveness functions.
The vulnerability, at its core, is an occasion of server-side request forgery (SSRF) stemming from the usage of the “custom value” performance throughout the SharePoint connector that allows an attacker to insert their very own URLs as a part of a move.
Nevertheless, to ensure that the assault to achieve success, the rogue consumer might want to have an Setting Maker position and the Fundamental Person position in Energy Platform. This additionally signifies that they would want to first acquire entry to a goal group by different means and purchase these roles.
“With the Environment Maker role, they can create and share malicious resources like apps and flows,” Zenity informed The Hacker Information. “The Basic User role allows them to run apps and interact with resources they own in Power Platform. If the attacker doesn’t already have these roles, they would need to gain them first.”
In a hypothetical assault situation, a risk actor might create a move for a SharePoint motion and share it with a low-privileged consumer (learn sufferer), leading to a leak of their SharePoint JWT entry token.
Armed with this captured token, the attacker might ship requests exterior of the Energy Platform on behalf of the consumer to whom entry was granted to.
That is not all. The vulnerability might be prolonged additional to different providers like Energy Apps and Copilot Studio by making a seemingly benign Canvas app or a Copilot agent to reap a consumer’s token, and escalate entry additional.
“You can take this even further by embedding the Canvas app into a Teams channel, for example,” Zenity famous. “Once users interact with the app in Teams, you can harvest their tokens just as easily, expanding your reach across the organization and making the attack even more widespread.”
“The main takeaway is that the interconnected nature of Power Platform services can result in serious security risks, especially given the widespread use of the SharePoint connector, which is where a lot of sensitive corporate data is housed, and it can be complicated to ensure proper access rights are maintained throughout various environments.”
The event comes as Binary Safety detailed three SSRF vulnerabilities in Azure DevOps that might have been abused to speak with the metadata API endpoints, thereby allowing an attacker to glean details about the machine’s configuration.
