A significant security flaw in Microsoft’s Copilot Studio has been discovered by cybersecurity researchers, which might be exploited to get personal information.
Researchers studying cybersecurity have found a serious security hole in Microsoft’s Copilot Studio that might be used to obtain private data. The vulnerability, identified as CVE-2024-38206 (CVSS score: 8.5), is characterized as an information exposure problem that arises from an attack known as server-side request forgery (SSRF). In an advisory published on August 6, 2024, Microsoft stated that “an authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio to leak sensitive information over a network.”
The IT behemoth went on to say that the vulnerability has been fixed and that no action from customers is necessary. The vulnerability was found and reported by Tenable security researcher Evan Grant, who claimed that it exploits Copilot’s capacity to send outbound queries to the internet. “Combined with a useful SSRF protection bypass, we used this flaw to get access to Microsoft’s internal infrastructure for Copilot Studio, including the instance metadata service (IMDS) and internal Cosmos DB instances,” Grant stated.
As stated otherwise, the attack method allowed one to obtain managed identity access tokens by retrieving the instance metadata from a Copilot chat message. These tokens could subsequently be misused to gain access to other internal resources, like read/write access to a Cosmos DB instance.
The cybersecurity firm added that although the method prevents access to data across tenants, the infrastructure supporting the Copilot Studio service is shared by tenants, which could have an impact on several clients when elevated access to Microsoft’s internal infrastructure is granted. Tenable disclosed two security issues in Microsoft’s Azure Health Bot Service that have been patched. The flaws, identified as CVE-2024-38109 and CVSS score: 9.1, have the potential to allow a bad actor to access sensitive patient data and move lateral inside client environments.
It also comes after Microsoft announced that, as part of its Secure Future Initiative (SFI), all Microsoft Azure customers will need to have multi-factor authentication (MFA) enabled on their accounts as of October 2024. “To log in to the Azure portal, Microsoft Entra admin center, and Intune admin center, MFA will be necessary. All tenants globally will eventually be subject to enforcement, according to Redmond. “Beginning in early 2025, gradual enforcement for MFA at sign-in for Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools will commence.”
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
