Analysis Summary

Cybersecurity researchers have identified two critical vulnerabilities in Microsoft's Azure Health Bot Service that could potentially allow malicious actors to achieve lateral movement within customer environments and gain access to sensitive patient data.

The flaws have since been patched by Microsoft. The Azure Health Bot Service is a cloud platform used by healthcare organizations to build AI-powered virtual health assistants for tasks such as managing administrative workloads and engaging with patients. Research focused on a component of the service called Data Connections, which is designed to integrate data from external sources, including third-party services and APIs.

Although the feature includes safeguards against unauthorized access, researchers found that these protections could be circumvented by configuring a data connection to respond with 301 or 302 redirect status codes to Azure's metadata service (IMDS). This tactic enabled attackers to obtain a valid metadata response, and acquire an access token for management.azure[.]com, and eventually list accessible resources by calling other APIs.

Another related vulnerability was found in an endpoint associated with systems supporting the Fast Healthcare Interoperability Resources (FHIR) data exchange format. Both vulnerabilities raise significant concerns about the security of chatbots in revealing sensitive information and underscore the importance of traditional web apps and cloud security, even in the era of AI-driven services.

Microsoft has assigned the CVE identifier CVE-2024-38109 (with a CVSS score of 9.1) to the privilege escalation flaw in the Azure Health Bot Service. This Server-Side Request Forgery (SSRF) vulnerability allowed authenticated attackers to elevate privileges over a network. Microsoft began rolling out fixes to address these vulnerabilities after they were reported in June and July 2024, with no evidence of exploitation in the wild.

Impact

• Information Disclosure
• Privilege Escalation
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2024-38109

Affected Vendors

Remediation

• Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.