H-ISAC TLP White Vulnerability Bulletin: Critical Microsoft Copilot Studio Vulnerability Exposes Sensitive Data

On August 20, 2024, Tenable Security published a blog post regarding a critical vulnerability affecting Microsoft Copilot Studio. Microsoft Copilot Studio is an end-to-end conversational artificial intelligence (AI) platform that enables users to create and customize copilots using natural language or a graphical interface.

The vulnerability tracked as CVE-2024-38206 is described as an information disclosure security flaw caused by a server-side request forgery (SSRF) attack. An SSRF vulnerability occurs when an attacker can influence the application to make server-side HTTP requests to unexpected targets or in an unexpected way.   

Tenable security researchers exploited the vulnerability, allowing them to access Microsoft's internal infrastructure, including the Instance Metadata Service (IMDS) and internal Cosmos DB instances. Successful exploitation of these cloud services can grant access to sensitive IMDS and Cosmos DB data, including virtual machine instances and database information, respectively.

Despite Microsoft advising that no user action is required to resolve the issue, Health-ISAC provides this information to raise awareness concerning the usage of artificial intelligence as it increasingly becomes a central component across different sectors, especially healthcare. 

View the detailed bulletin below.