Cybersecurity experts have identified two security flaws in Microsoft’s Azure Health Bot Service that could allow malicious actors to move laterally within customer environments and access sensitive patient data if exploited.
These critical vulnerabilities, which Microsoft has since patched, had the potential to grant unauthorized access to cross-tenant resources within the service, according to a new report by Tenable, shared with The Hacker News.
The Azure AI Health Bot Service is a cloud platform that enables healthcare organizations to develop and deploy AI-powered virtual health assistants and create tools to manage administrative tasks and interact with patients.
These tools include bots created by insurance companies to help customers check the status of a claim and inquire about benefits and services, as well as bots managed by healthcare providers to assist patients in finding appropriate care or locating nearby doctors.
Tenable’s research specifically focused on a feature of the Azure AI Health Bot Service called Data Connections. This feature allows for the integration of data from external sources, including third-party APIs or the service providers’ own API endpoints.
Although the feature includes safeguards to prevent unauthorized access to internal APIs, further investigation revealed that these protections could be bypassed by issuing redirect responses (such as 301 or 302 status codes) when setting up a data connection using an external host controlled by the attacker.
By configuring the host to respond with a 301 redirect aimed at Azure’s metadata service (IMDS), Tenable discovered that it was possible to obtain a valid metadata response and acquire an access token for management.azure[.]com.
This token could then be used to list the subscriptions it grants access to by making a call to a Microsoft endpoint, which returns an internal subscription ID that could ultimately be used to list accessible resources through another API.
In addition, another endpoint related to systems that support the Fast Healthcare Interoperability Resources (FHIR) data exchange format was found to be vulnerable to the same type of attack.
Tenable reported its findings to Microsoft in June and July 2024, after which Microsoft began deploying fixes across all regions. There is no evidence to suggest that these vulnerabilities were exploited in the wild.
“The vulnerabilities raise concerns about how chatbots can be exploited to reveal sensitive information,” Tenable stated. “These issues highlight a flaw in the underlying architecture of the chatbot service and emphasize the importance of traditional web application and cloud security in the age of AI chatbots.”
This disclosure follows shortly after Semperis detailed an attack technique called UnOAuthorized, which allows for privilege escalation within Microsoft Entra ID (formerly Azure Active Directory), including the ability to add and remove users from privileged roles. Microsoft has since patched this security vulnerability.
“A threat actor with such access could elevate their privileges to Global Administrator and establish further persistence mechanisms within a tenant,” security researcher Eric Woodruff explained. “An attacker could also use this access to move laterally into any system within Microsoft 365 or Azure, as well as any SaaS application connected to Entra ID.”