Server-side request forgery (SSRF) vulnerability in AI-powered tool allowed access to sensitive Microsoft cloud resources, quickly patched after discovery
Microsoft has addressed a critical vulnerability in its Copilot Studio tool that allowed cybersecurity researchers to gain access to sensitive internal cloud data and services. The flaw, identified as CVE-2024-38206, was uncovered by the cybersecurity firm Tenable and has been classified as a server-side request forgery (SSRF) issue.
Copilot Studio, which is part of Microsoft’s Power Platform, enables users to create custom AI chatbots capable of performing various tasks using data from Microsoft 365 and other connected sources. One of its key features is the ability to make HTTP requests triggered by specific user inputs.
Tenable’s researchers discovered that by exploiting this HTTP request functionality, combined with an SSRF protection bypass, they could penetrate Microsoft’s internal infrastructure related to Copilot Studio. This breach granted them access to the Instance Metadata Service (IMDS) and internal Cosmos DB databases.
Through their exploit, the researchers were able to retrieve instance metadata, including managed identity access tokens, via Copilot chat messages. These tokens could potentially be used to access additional internal Microsoft cloud resources.
While the particular database accessed was confined to Microsoft’s internal infrastructure, the researchers’ Copilot instance successfully interacted with it by crafting requests with the correct headers.
Although no cross-tenant data was immediately accessible, Tenable highlighted that the shared infrastructure of Copilot Studio among different customers meant that any breach could potentially impact multiple tenants.
Upon being informed of the vulnerability, Microsoft acted swiftly to resolve the issue. The company assigned it the identifier CVE-2024-38206 and classified it as a critical information disclosure vulnerability. Microsoft confirmed that the flaw has been fully mitigated, and no action is required from customers.
The discovery of this SSRF vulnerability underscores the potential risks inherent in AI-powered cloud services capable of making external HTTP requests.
