The Azure Health Bot Service, a cloud platform designed for healthcare organizations to create and deploy AI-powered virtual health assistants, has been found vulnerable to multiple privilege-escalation issues.
Researchers discovered a server-side request forgery (SSRF) vulnerability (CVE-2024-38109) that allowed access to cross-tenant resources within the service, potentially enabling lateral movement to other resources.
Privilege Escalation Flaw in Azure Health Bot Service
The Azure Health Bot Service enables healthcare providers to create patient-facing chatbots that interact with external data sources, such as patient information portals or medical reference databases. Tenable researchers discovered that the “Data Connections” feature, designed to allow bots to interact with external data sources, could be exploited through a server-side request forgery (SSRF) attack.
By exploiting the Data Connections and third-party request APIs, the researchers performed various test connections and discovered that common endpoints, like Azure‘s Internal Metadata Service (IMDS), were initially inaccessible.
However, by configuring a data connection to an external host under their control and exploiting redirect responses (301/302 status codes), the researchers were able to bypass server-side mitigations and gain access to Azure’s Internal Metadata Service (IMDS).
With a valid metadata response, researchers obtained an access token for management.azure.com and subsequently listed the subscriptions they had access to via an API call. This led to a list of hundreds of resources belonging to other customers, indicating cross-tenant information.
Responsible Disclosure and Microsoft Follow-up
After reporting the initial findings to Microsoft’s Security Response Center (MSRC), the researchers confirmed that the issue had been resolved.
Microsoft’s MSRC acknowledged the report as well as the researcher findings and began investigating the issue on June 17, 2024. Within a week, fixes were rolled out to all regions, and by July 2, MSRC confirmed that all affected environments had been patched. According to Microsoft’s security update guide for the CVE-2024-38109 flaw, “The vulnerability documented by this CVE requires no customer action to resolve.”
The researchers retested the original proof-of-concepts and found that the fix simply rejected redirect status codes for data connection endpoints, eliminating the attack vector.
However, a second vulnerability had been discovered in the validation mechanism for FHIR (Fast Healthcare Interoperability Resources) endpoints during testing. While this issue had a limited impact, researchers immediately halted their investigation and reported the finding to Microsoft, opting to respect MSRC’s guidance regarding accessing cross-tenant resources. Fixes for this issue were available by July 12.
The researchers clarified that the vulnerabilities they had discovered involved weaknesses in the underlying architecture of the AI chatbot service rather than the AI models themselves.