CFOtech Asia - Technology news for CFOs & financial decision-makers
Asia
Guides
#
cybersecurity
#
data analytics
#
data analytics
#
digital transformation
#
hybrid & remote work
Search
Story image
#
Microsoft
#
Sensitive Information
#
Tenable

Tenable finds critical flaw in Microsoft’s Copilot Studio

Wed, 28th Aug 2024
Author image
By Melania Watson, Interview Editor

Tenable has revealed that its research team has identified a critical information disclosure vulnerability in Microsoft's Copilot Studio. The vulnerability, classified as a server-side request forgery (SSRF), allowed researchers to access potentially sensitive information related to service internals, which could have impacted multiple tenants.

This vulnerability arose due to improper handling of redirect status codes for user-configurable actions within Copilot Studio. It follows Tenable’s previous discoveries of flaws in Microsoft's Azure Health Bot service, Azure Service Tags, and three vulnerabilities in the Azure API Management service.

An SSRF vulnerability occurs when an attacker influences an application to make server-side HTTP requests to unintended targets or in unexpected ways. For instance, an attacker could force a remote host application to make requests to an unintended location. If the attacker can control the target of those requests, they could direct the request to a sensitive internal resource accessible to the server-side application but not to the attacker, thus revealing potentially sensitive information.

Had this issue been exploited by a malicious actor, they could have accessed the internal infrastructure of Copilot Studio, a shared environment among customers. This could have allowed access to Azure's Instance Metadata Service (IMDS), enabling a threat actor to obtain access tokens for the environment. These tokens could grant further access to other shared resources, such as a Cosmos DB, where sensitive information regarding the internals of Copilot Studio is stored.

"In the context of cloud applications, a common target is the Instance Metadata Service (IMDS), which, depending on the cloud platform, can yield useful, potentially sensitive information for an attacker. In this case, we were able to retrieve managed identity access tokens from the IMDS. No information beyond the usage of Copilot Studio was required to exploit this flaw," explained Jimi Sebree, Senior Staff Research Engineer at Tenable. "As in some of the previous vulnerabilities found by our research team, this vulnerability demonstrates that mistakes can be made when companies rush to release products in a new or rapidly expanding space."

Microsoft has confirmed that remediations for this issue were implemented as of 31 July 2024, and no customer action is required.

Further technical findings and proof of concept have been published on the Tenable blog and in the technical advisory.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Southeast Asia's financial sector faces major cybersecurity risks
Crayon teams up with Microsoft for exciting AI roadshow
Hyperscaler cloud marketplaces to reach USD $85 billion by 2028
Shai Morag appointed Tenable's new chief product officer
Zendesk appoints Lila Tretikov to board of directors
Top stories
Cloudera’s AI play is all about data, leveraging a decade of experience
Binance launches token unlock & vesting schedule feature
The one BYOD security solution every enterprise needs (but isn’t using)
Salesforce unveils Agentforce: autonomous AI for productivity
SuiteWorld 2024: Annexa's successes and the future of AI in Cloud ERP