Cybersecurity researchers have came upon two safety flaws in Microsoft’s Azure Well being Bot Provider that, if exploited, may just allow a malicious actor to succeed in lateral motion inside of buyer environments and get right of entry to delicate affected person knowledge.
The vital problems, now patched by means of Microsoft, may have allowed get right of entry to to cross-tenant sources throughout the provider, Tenable mentioned in a brand new document shared with The Hacker Information.
The Azure AI Well being Bot Provider is a cloud platform that allows builders in healthcare organizations to construct and deploy AI-powered digital well being assistants and create copilots to regulate administrative workloads and interact with their sufferers.
This contains bots created by means of insurance coverage provider suppliers to permit shoppers to seem up the standing of a declare and ask questions on advantages and services and products, in addition to bots controlled by means of healthcare entities to lend a hand sufferers in finding suitable care or glance up within sight medical doctors.
Tenable’s analysis particularly specializes in one side of the Azure AI Well being Bot Provider referred to as Information Connections, which, because the identify implies, provides a mechanism for integrating knowledge from exterior resources, be it 3rd events or the provider suppliers’ personal API endpoints.
Whilst the function has integrated safeguards to stop unauthorized get right of entry to to inner APIs, additional investigation discovered that those protections might be bypassed by means of issuing redirect responses (i.e., 301 or 302 standing codes) when configuring an information connection the usage of an exterior host below one’s regulate.
By means of putting in place the host to reply to requests with a 301 redirect reaction destined for Azure’s metadata provider (IMDS), Tenable mentioned it used to be conceivable to acquire a legitimate metadata reaction after which pay money for an get right of entry to token for control.azure[.]com.
The token may just then be used to record the subscriptions that it supplies get right of entry to to by the use of a decision to a Microsoft endpoint that, in flip, returns an inner subscription ID, which might in the long run be leveraged to record the obtainable sources by means of calling some other API.
One by one, it used to be additionally came upon that some other endpoint associated with integrating methods that enhance the Speedy Healthcare Interoperability Sources (FHIR) knowledge change layout used to be prone to the similar assault as neatly.
Tenable mentioned it reported its findings to Microsoft in June and July 2024, following which the Home windows maker started rolling out fixes to all areas. There is not any proof that the problem used to be exploited within the wild.
“The vulnerabilities elevate considerations about how chatbots can also be exploited to show delicate knowledge,” Tenable mentioned in a remark. “Particularly, the vulnerabilities concerned a flaw within the underlying structure of the chatbot provider, highlighting the significance of conventional internet app and cloud safety within the age of AI chatbots.”
The disclosure comes days after Semperis detailed an assault method referred to as UnOAuthorized that permits for privilege escalation the usage of Microsoft Entra ID (previously Azure Lively Listing), together with the power so as to add and take away customers from privileged roles. Microsoft has since plugged the protection hollow.
“A risk actor may have used such get right of entry to to accomplish privilege elevation to World Administrator and set up additional method of patience in a tenant,” safety researcher Eric Woodruff mentioned. “An attacker may just additionally use this get right of entry to to accomplish lateral motion into any device in Microsoft 365 or Azure, in addition to any SaaS utility attached to Entra ID.”