Researchers Uncover Vulnerabilities in Azure AI Health Bot

During a security audit, Tenable researchers discovered privilege-escalation vulnerabilities in the Azure AI Health Bot Service. They gained access to cross-tenant resources via a Server-Side Request Forgery (SSRF) vulnerability.

Microsoft Azure’s AI Health Bot is a cloud-based technology that enables healthcare organizations to deploy intelligent virtual health assistants. The platform uses artificial intelligence that has been trained with medical data to create conversational experiences for patients. Patients can use the chatbot to book appointments, manage records and billing, ask about symptoms and medications, and receive care recommendations.

The discovered Server-Side Request Forgery (SSRF) vulnerability is ranked number ten on the OWASP 2021 Top Ten list of the most critical security risks to web applications. SSRF allows an attacker to manipulate the server to make unauthorized requests to local or external sources on behalf of the web server.

Researchers initially found the vulnerability in a feature called “Data Connections.” Data connections allow the chatbot’s backend to interact with and make requests to third-party APIs and external data sources, such as patient information portals or medical reference databases. 

To demonstrate the attack, the researchers set up a server under their control and configured a data connection in the Health Bot to point to this server. They then had their server issue a redirect to Azure’s Internal Metadata Service (IMDS), an internal Microsoft service. By accessing IMDS, they realized they could gain access to users’ information.

Although many endpoints, including IMDS, had protections in place, the researchers found that the safeguards could be bypassed using HTTP 301/302 redirect responses.

The Microsoft Security Response Center (MSRC) promptly addressed the vulnerability by rejecting redirect responses for data connections to prevent attackers from exploiting the flaw.

Subsequently, researchers discovered a similar vulnerability in a different part of the service. The new attack vector was an endpoint used to validate data connections for Fast Healthcare Interoperability Resources (FHIR) endpoints. Unlike the first issue, the impact of this issue would have been less significant because the FHIR endpoint vector could not influence request headers and, therefore, could not access cross-tenant resources. Nevertheless, the MSRC also promptly addressed this issue.

The fix was released as part of Microsoft’s Patch Tuesday on August 13. It was assigned CVE-2024-38109 and ranked critical with a CVSSv3 base score of 9.1. According to the Microsoft team, no action is required from customers to resolve the documented vulnerability. Tenable maintains that there is no evidence that a malicious actor exploited the attack vectors.

The identified vulnerabilities exposed fundamental weaknesses in the service architecture. They also emphasise the need for strong security practices in AI-driven platforms.