Pierluigi Paganini August 21, 2024

Researchers have disclosed a critical security vulnerability in Microsoft’s Copilot Studio that could lead to the exposure of sensitive information.

Researchers disclosed a critical security vulnerability, tracked as CVE-2024-38206 (CVSS score: 8.5), impacting Microsoft’s Copilot Studio. An attacker can exploit the vulnerability to access sensitive information.

The flaw is an information disclosure vulnerability resulting from a server-side request forgery (SSRF) attack.

“An authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio to leak sensitive information over a network.” reads the advisory published by Microsoft.

Microsoft confirmed that the vulnerability has already been fully addressed and there is no action for users of this service to take.

The vulnerability was reported by the cybersecurity researcher Evan Grant from Tenable.

“we take a look at a server-side request forgery (SSRF) vulnerability in Copilot Studio that leveraged Copilot’s ability to make external web requests. Combined with a useful SSRF protection bypass, we used this flaw to get access to Microsoft’s internal infrastructure for Copilot Studio, including the Instance Metadata Service (IMDS) and internal Cosmos DB instances.” reads the report published by Grant.

Tenable research explained that the flaw allows an attacker to exploit the Copilot’s ability to perform HTTP requests triggered by key phrases. By manipulating HTTP headers and using redirect techniques, attackers can bypass protections and access sensitive cloud resources, including the Instance Metadata Service (IMDS). Attackers can exploit this flaw to retrieve instance metadata and managed identity access tokens, potentially allowing unauthorized access to other internal Azure resources.

The researchers also explained that they used an access token to explore Azure subscriptions and found a Cosmos DB resource. Although this database was restricted to Microsoft’s internal infrastructure, the Copilot’s ability to make HTTP requests enabled access. The researchers successfully gained read/write access to the internal Cosmos DB instance by generating a valid authorization token and using the appropriate headers.

“We tested this from multiple tenants and confirmed that, while no cross-tenant information appeared immediately accessible, the infrastructure used for this Copilot Studio service was shared among tenants. Any impact on that infrastructure could affect multiple customers. While we don’t know the extent of the impact that having read/write access to this infrastructure could have, it’s clear that because it’s shared among tenants, the risk is magnified.” concludes the report published by Tenable. “We also determined we could access other internal hosts, unrestricted, on the local subnet to which our instance belonged (10.0.x.0/24).”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Copilot Studio)