August 21, 2024 at 11:20AM
Tenable researchers discovered a server-side request forgery (SSRF) vulnerability in Microsoft’s Copilot Studio tool, allowing attackers to access sensitive cloud-based information. This flaw, tracked as CVE-2024-38206, could impact multiple tenants by bypassing SSRF protection. However, Microsoft has fully mitigated the vulnerability, ensuring no action is required from Copilot Studio users.
From the meeting notes, it appears that there was a vulnerability discovered in Microsoft’s Copilot Studio tool, known as CVE-2024-38206. Researchers were able to exploit this vulnerability to make external HTTP requests, gaining access to sensitive information concerning internal services within a cloud environment, with potential impact across multiple tenants.
This vulnerability allowed attackers to bypass server-side request forgery (SSRF) protection in Copilot Studio, leaking sensitive cloud-based information over a network. The flaw was described as occurring when an HTTP request created using the tool was combined with an SSRF protection bypass.
Microsoft responded promptly to this notification and fully mitigated the flaw, with no action required on the part of Copilot Studio users.
The exploit involved creating HTTP requests to access cloud data and services from multiple tenants. While the immediate impact on cross-tenant information appeared limited, the shared infrastructure among tenants meant that any impact on the infrastructure could potentially affect multiple customers.
The researchers also found that they could use the exploit to access other internal hosts unrestricted on the local subnet to which their instance belonged. Their exploit ultimately allowed them to gain read/write access to internal cloud resources, such as Azure services and a Cosmos DB instance.
The existence of this SSRF vulnerability in Copilot Studio serves as a cautionary tale for its users of the potential for attackers to abuse the tool’s HTTP-request feature to elevate their access to cloud data and resources.