Experts Discover Weaknesses in AI-Enabled Azure Health Bot Service
Cyber experts have unearthed two security vulnerabilities in Microsoft’s Azure Health Bot Service that, if abused, could allow a malicious individual to move laterally within customer environments and gain access to confidential patient records.
The significant flaws, which have now been fixed by Microsoft, could have enabled access to resources across different customer accounts in the service, according to Tenable, as detailed in a recent analysis shared with The Hacker News.
The Azure AI Health Bot Service is a web platform that empowers developers in healthcare organizations to construct and deploy AI-powered virtual healthcare aides and establish copilots to manage administrative tasks and interact with their patients.
This encompasses bots crafted by insurance providers to enable clients to check claim status and inquire about services and benefits, alongside bots managed by healthcare establishments to aid patients in locating suitable care or finding nearby physicians.
Tenable’s investigation specifically targets a feature of the Azure AI Health Bot Service known as Data Connections, which, as the name suggests, provides a way to merge data from external origins, be it third-parties or the providers’ proprietary API endpoints.
Despite the feature having inherent protections to block unauthorized entry to internal APIs, a more detailed probe revealed that these defenses could be circumvented by sending redirect responses (e.g., 301 or 302 status codes) when configuring a data connection utilizing an external host under one’s control.
By configuring the host to reply to requests with a 301 redirect response aimed at Azure’s metadata service (IMDS), Tenable indicated it was feasible to acquire a legitimate metadata response and subsequently obtain an access token for management.azure[.]com.
This token could then be utilized to list the subscriptions it offers access to by contacting a Microsoft endpoint that, in return, furnishes an internal subscription ID, which could ultimately be utilized to list the reachable resources by invoking another API.
Moreover, it was also found that another endpoint concerning the integration of systems supporting the Fast Healthcare Interoperability Resources (FHIR) data exchange structure was susceptible to the same exploit.
Tenable announced that it notified Microsoft about its discoveries in June and July 2024, after which the tech giant commenced the deployment of fixes across all regions. There is no indication that the loophole was abused in actual scenarios.
“The weaknesses raise concerns regarding how chatbots could be manipulated to uncover confidential data,” Tenable noted in a statement. “Specifically, the vulnerabilities involved a flaw in the basic architecture of the chatbot service, emphasizing the significance of conventional web application and cloud security amidst the era of AI chatbots.”
This revelation follows a recent reveal by Semperis of a hacking technique dubbed UnOAuthorized that allows for privilege elevation utilizing Microsoft Entra ID (previously Azure Active Directory), which involves the capability to add and remove users from privileged roles. Microsoft has since rectified this security flaw.
“A malicious actor could have utilized such access for privilege escalations to Global Administrator and introduce additional mechanisms for persistence within a tenancy,” security expert Eric Woodruff stated. “An attacker could also utilize this access to conduct lateral maneuvers into any system in Microsoft 365 or Azure, as well as any SaaS application linked to Entra ID.”
About Author
