Summary
Multiple vulnerabilities were uncovered in Azure Health Bot service, Microsoft's health chatbot platform.
These could have potentially exposed sensitive user data and granted attackers extensive control, allowing
unrestricted code execution as root on the bot backend, unrestricted access to authentication secrets &
integration auth providers, unrestricted memory read in the bot backend, exposing sensitive secrets,
allowing cross-tenant data access and unrestricted deletion of other tenants' public resources.
These issues stemmed from various bugs related to URL sanitization, shared compute, and sandboxing.
Following disclosure, Microsoft changed the service architecture to run a completely separate ACI
instance per customer, thereby mitigating future sandbox escapes, and changed the sandboxing from
vm2 to the isolated-vm library (which uses V8 isolates).
Affected Services
Health Bot
Remediation
None required
Tracked CVEs
No tracked CVEs
References
https://www.breachproof.net/blog/lethal-injection-how-we-hacked-microsoft-ai-chat-bothttps://twitter.com/Yanir_/status/1787927285443494137
Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
-
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Yanir Tsarimi, Breachproof
