Microsoft"s Azure Health Bot service allows healthcare organizations to create and deploy AI-powered conversational healthcare experiences. It uses a built-in medical database with natural language capabilities to understand clinical terminology and allows healthcare organizations to customize it based on their clinical use cases.
While auditing this service for security issues, Tenable found a security vulnerability in the "Data Connections" feature in Azure Health Bot service. This feature allowed bots to interact with external data sources via third-party APIs to retrieve information.
While Azure"s Internal Metadata Service (IMDS) was appropriately filtered or inaccessible, the redirect responses (301/302 status codes) allowed bypassing of the filters. Through the server-side request forgery (SSRF) vulnerability, Tenable researchers were able to access resources belonging to different tenants.
Following this discovery, Tenable reported its findings to MSRC on June 17, 2024. MSRC has assigned this issue a severity rating of Critical - Elevation of Privilege. As of July 2, Microsoft has rolled out fixes to all regions. Tenable also mentioned that it has found no evidence that indicated this issue had been exploited by a malicious actor.
While validating the fixes deployed by Microsoft, Tenable found another similar vulnerability in data connections for FHIR endpoints. Tenable again reported this issue to MSRC on July 9. MSRC has assigned this issue a severity rating of Important - Elevation of Privilege. Microsoft has fixed this 2nd issue by July 12.
Tenable Researcher Jimi Sebree wrote the following explanation of the Azure Health Vulnerabilities:
"The vulnerabilities discussed in this post involve flaws in the underlying architecture of the AI chatbot service, not the AI models themselves. This highlights the continued importance of traditional web application and cloud security mechanisms in this new age of AI-powered services."
Since the fixes were done on the server side by Microsoft, no customer action is required. You can learn more about these issues from TRA-2024-27 and TRA-2024-28.
Source: Tenable