Tenable has disclosed that its Tenable Research Team has discovered a critical information disclosure vulnerability in Microsoft’s Copilot Studio via a server-side request forgery (SSRF), which allowed researchers access to potentially sensitive information regarding service internals with potential cross-tenant impact. This vulnerability exists due to improper handling of redirect status codes for user-configurable actions within Copilot Studio. This follows the team’s recent discoveries of flaws in Microsoft’s Azure Health Bot service, Azure Service Tags and three vulnerabilities in the Azure API Management service.
An SSRF vulnerability occurs when an attacker is able to influence the application into making server-side HTTP requests to unexpected targets or in an unexpected way, for example forcing an application on a remote host to make requests to an unintended location. If an attacker is able to control the target of those requests, they could point the request to a sensitive internal resource for which the server-side application has access, even if the attacker doesn’t, revealing potentially sensitive information. Had this issue been exploited by a malicious actor, they would have been able to access the internal infrastructure of Copilot Studio, which is a shared environment among customers. This could have allowed access to Azure’s Instance Metadata Service (IMDS) allowing a threat actor to obtain access tokens for the environment, granting further access to other shared resources, such as a Cosmos DB, where sensitive information regarding the internals of Copilot Studio are stored.
“In the context of cloud applications, a common target is the Instance Metadata Service (IMDS) which, depending on the cloud platform, can yield useful, potentially sensitive information for an attacker. In this case, we were able to retrieve managed identity access tokens from the IMDS. No information beyond the usage of Copilot Studio was required to exploit this flaw,” explains Jimi Sebree, senior staff research engineer, Tenable. “As in some of the previous vulnerabilities found by our research team, this vulnerability demonstrates that mistakes can be made when companies rush to be the first to release products in a new or rapidly expanding space.”
Microsoft has confirmed that remediations for this issue were in place as of July 31, 2024. No customer action is required.
Punjab National Bank (PNB) has appointed Ashwini Pandey as General Manager and Data Protection Officer (DPO), underscoring the state-owned lender’s sharpened focus on cybersecurity, data governance and regulatory...
New campus in Sector 129 houses more than 700 employees and adds to the company’s growing engineering and customer-facing footprint in India. Adobe has opened a new office...
IIFL Home Loans has announced the appointment of Sumit Chadha as its new Chief Technology Officer (CTO), reinforcing the company’s commitment to accelerating its digital transformation and enhancing...
Airtel Business, the B2B arm of Bharti Airtel has launched Airtel Secure Workforce, a fully-managed and unified Zero Trust Architecture (ZTA) security platform with an end-to-end, compliance-ready security...
IBM and Yotta Data Services have announced plans to collaborate on a new sovereign Agentic AI platform aimed at enterprises and government organizations in India. The platform is...
