August 21, 2024 at 08:54AM
A vulnerability in Microsoft Copilot Studio, tracked as CVE-2024-38206, allowed access to sensitive internal infrastructure. Despite being fully mitigated, an attacker could bypass server-side request forgery protection to leak information. The exploitation also led to access to Cosmos DB instances. This flaw may have had cross-tenant impacts, prompting concern over privacy and security issues.
Based on the meeting notes, the main takeaway is that there was a critical vulnerability, tracked as CVE-2024-38206, in Microsoft Copilot Studio that could be exploited to access sensitive information on the internal infrastructure used by the service. The vulnerability was described as a ‘critical’ information disclosure bug and had a CVSS score of 8.5. Although Microsoft has fully mitigated the flaw, the vulnerability allowed attackers to bypass server-side request forgery (SSRF) protection in Copilot Studio, potentially leaking sensitive information over a network.
Tenable, the cybersecurity firm, identified that the issue was an SSRF security defect in Copilot Studio, which allowed attackers to make external web requests and gain access to Microsoft’s internal infrastructure for Copilot Studio, including the Instance Metadata Service (IMDS) and internal Cosmos DB instances. Furthermore, Tenable discovered that by bypassing the service’s SSRF protections, they were able to access additional resources, including an Azure subscription containing Cosmos DB endpoints, and obtain the Cosmos DB master keys, gaining read/write permissions.
It’s crucial to note that the exploitation of this vulnerability potentially had a cross-tenant impact, as the infrastructure used for the Copilot Studio service was shared among tenants. This emphasizes the importance of thorough vulnerability management and mitigation to prevent potential cross-tenant impact.
Additionally, it’s essential for all users of Copilot Studio to be aware of the implications of this vulnerability and the potential for unauthorized access to sensitive information. The successful exploitation of this vulnerability highlights the critical need for consistent and robust security measures to prevent unauthorized access and potential data breaches.