Microsoft’s AI flagship, Copilot Studio, potentially threatened the company’s internal infrastructure. A critical SSRF vulnerability specifically affected the Microsoft Copilot Studio, allowing sensitive internal data to be exposed to an adversary. The tech giant patched the flaw following the bug report.
SSRF vulnerability found in Microsoft Copilot Studio
According to a recent after from Tenable, a severe server-side request forgery (SSRF) vulnerability impacted the security of Microsoft Copilot Studio.
Specifically, the researchers observed a special functionality allowed by the tool: a user could send HTTP requests as prompts. Enticed by this feature, the researchers went ahead and tested it with Instance Metadata Service (IMDS) and Cosmos DB instances.
Initially, they noticed no success in making direct requests. However, with a small adjustment to the prompt, the researchers were able to bypass the SSRF protection. Furthermore, the researchers could redirect the information HttpRequestAction to their own server, and finally after some changes make requests to IMDS. These changes include the necessary presence of the header Metadata: true and the absence of X-Forwarded-For: header in the requests.
Ultimately, the researchers were able to retrieve the instance’s metadata in plaintext from the Copilot response. Although the initial information retrieved was not sensitive, Tenable was also able to retrieve identity access tokens from IMDS, highlighting the severity of the flaw.
The researchers then retrieved the Azure subscriptions associated with identity access tokens, which ultimately revealed a Cosmos DB instance. Although Cosmos DB access was limited to internal Microsoft IP addresses, it did include the researchers’ Copilot, allowing them to retrieve the target instance’s endpoint URL. Finally, they were able to generate a request that gave them read/write access to the internal Cosmos DB instance.
This vulnerability, CVE-2024-38206, received a critical severity rating and a CVSS score of 8.5. Tenable’s post provides a detailed technical analysis of the vulnerability and its exploitation process.
Microsoft has fixed the vulnerability
When Tenable discovered the vulnerability, it contacted Microsoft to report the issue. In response, Microsoft acknowledged the bug report and credited Tenable’s Evan Grant for this discovery. It has also patched the vulnerability and confirmed its full mitigation advisory.
Furthermore, the tech giant also confirmed that no action was required from users to receive the fix.
Let us know your thoughts in the comments.
