Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Azure Health Bot Service Vulnerabilities Possibly Exposed Sensitive Data

Azure Health Bot Service vulnerabilities found by Tenable could have been exploited for lateral movement and may have allowed customer data exposure. 

Researchers at Tenable have identified vulnerabilities in Microsoft’s Azure Health Bot Service that threat actors could have been able to exploit to gain access to sensitive data.

The Azure Health Bot Service is a cloud platform that healthcare organizations can use to create and deploy AI-powered virtual health assistants.

Depending on what they’re used for, some of these chatbots may need to be given access to sensitive patient information to complete their tasks. 

Tenable researchers discovered a data connection feature that allows bots to interact with external data sources. The feature enables the service’s backend to make third-party API requests. 

The researchers found a way to bypass the protections that were in place. Specifically, they found a server-side request forgery (SSRF) vulnerability that could have allowed an attacker to escalate privileges and access cross-tenant resources.

Tenable’s analysis did not go deeper to see exactly what type of data was exposed, but the company noted that a threat actor may have been able to gain management capabilities and move laterally within Azure customer environments, potentially gaining access to sensitive patient data. 

“The vulnerabilities […] involve flaws in the underlying architecture of the AI chatbot service rather than the AI models themselves,” Tenable explained. 

Microsoft was immediately informed about the vulnerabilities and released server-side patches in July. 

Advertisement. Scroll to continue reading.

Tenable has not found any evidence to suggest that the flaws have been exploited by malicious actors.

Related: AWS Patches Vulnerabilities Potentially Allowing Account Takeovers

Related: Docker Patches Critical AuthZ Plugin Bypass Vulnerability Dating Back to 2018

Related: Citrix Patches Critical NetScaler Console Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights