Microsoft’s AI flagship, Copilot Studio, faced a potential threat to its internal infrastructure. A critical SSRF vulnerability was discovered in Microsoft Copilot Studio, which had the potential to expose sensitive internal data to malicious actors. The vulnerability was promptly patched by the tech giant following the bug report.
SSRF Vulnerability Identified in Microsoft Copilot Studio
Recently, Tenable revealed in a post that a significant server-side request forgery (SSRF) vulnerability posed a security risk to Microsoft Copilot Studio.
The researchers found a unique functionality in the tool that allowed users to send HTTP requests as prompts. Intrigued by this feature, the researchers tested it against Instance Metadata Service (IMDS) and Cosmos DB instances.
Initially, direct requests did not yield any results. However, after some modifications to the prompts, the researchers were able to bypass SSRF protection. They successfully redirected the HttpRequestAction to their server, enabling requests to IMDS with specific changes in the headers.
By exploiting the vulnerability, the researchers could access instance metadata from Copilot’s response in plain text. They were also able to retrieve identity access tokens from IMDS, underscoring the seriousness of the flaw.
Subsequently, the researchers uncovered Azure subscriptions associated with the tokens, revealing a Cosmos DB instance. Despite restricted access to internal Microsoft IP addresses, the researchers leveraged their Copilot access to gain read/write permissions to the internal Cosmos DB instance.
The vulnerability, identified as CVE-2024-38206, received a critical severity rating and a CVSS score of 8.5. Tenable’s post offers an in-depth technical analysis of the vulnerability and its exploitation methods.
Microsoft Addresses the Vulnerability
Upon being informed of the vulnerability, Microsoft promptly responded and credited Tenable’s Evan Grant for the discovery. The company swiftly patched the vulnerability, ensuring complete mitigation as detailed in its advisory.
Furthermore, Microsoft assured users that no additional action was required to receive the fix.
We invite you to share your thoughts in the comments section.