Microsoft’s AI flagship, Copilot Studio, potentially threatened the firm’s internal infrastructure. Specifically, a critical SSRF vulnerability affected the Microsoft Copilot Studio, which could expose sensitive internal data to an adversary. The tech giant patched the flaw following the bug report.
SSRF Vulnerability Found In Microsoft Copilot Studio
According to a recent post from Tenable, a serious server-side request forgery (SSRF) vulnerability impacted the security of Microsoft Copilot Studio.
Specifically, the researchers observed a peculiar functionality permitted by the tool—a user could send HTTP requests as prompts. Tempted by this feature, the researchers went ahead and tested it against Instance Metadata Service (IMDS) and Cosmos DB instances.
Initially, they observed no success when making direct requests. However, with a little modification in the prompt, the researchers succeeded in bypassing SSRF protection. Besides, the researchers could redirect the HttpRequestAction to their own server, eventually making requests to IMDS after some modifications. These modifications include the necessary presence of the header Metadata: true and the absence of X-Forwarded-For: header in the requests.
Ultimately, the researchers could retrieve the instance metadata from the Copilot’s response in plaintext. While the initially retrieved information was not sensitive, Tenable could also retrieve identity access tokens from IMDS, highlighting the severity of the flaw.
Next, the researchers retrieved the Azure subscriptions associated with identity access tokens in hand, which eventually revealed a Cosmos DB instance. Although Cosmos DB access was restricted to internal Microsoft IP addresses, it did include the researchers’ Copilot, which allowed them to retrieve the target instance’s endpoint URL. Ultimately, they could generate a request that allowed them to gain read/write access to the internal Cosmos DB instance.
This vulnerability, CVE-2024-38206, received a critical severity rating and a CVSS score of 8.5. Tenable’s post provides a detailed technical analysis of the vulnerability and its exploitation process.
Microsoft Patched The Vulnerability
Upon discovering the vulnerability, Tenable contacted Microsoft to report the matter. In response, Microsoft acknowledged the bug report, crediting Tenable’s Evan Grant for this discovery. It also patched the vulnerability, confirming full mitigation in its advisory.
Moreover, the tech giant also confirmed requiring no action from the users to receive the fix.
Let us know your thoughts in the comments.