Tenable Cloud Research Team has discovered critical vulnerabilities in the Azure Health Bot Service, that allowed access to cross-tenant resources within this service. Based on the level of access granted, it’s likely that lateral movement to other resources would have been possible.

The Azure Health Bot Service is a cloud platform that allows healthcare professionals to deploy patient-facing chatbots to handle administrative workflows within their environments. Thus, these chatbots generally have some access to sensitive patient information, though the information available to these bots can vary based on each bot’s configuration.

While auditing this service for security issues, Tenable researchers became interested in a feature dubbed “Data Connections” in the service’s documentation. These data connections allow bots to interact with external data sources to retrieve information from other services that the provider may be using, such as a portal for patient information or a reference database for general medical information. 

While testing these data connections to see if endpoints internal to the service could be interacted with, Tenable researchers discovered that many common endpoints, such as Azure’s Internal Metadata Service (IMDS), were appropriately filtered or inaccessible. Upon closer inspection, however, it was discovered that issuing redirect responses (e.g. 301/302 status codes) allowed these mitigations to be bypassed.

The vulnerabilities involve flaws in the underlying architecture of the AI chatbot service rather than the AI models themselves and highlights the continued importance of traditional web application and cloud security mechanisms in this new age of AI powered services.

According to Microsoft, mitigations for these issues have been applied to all affected services and regions. No customer action is required.

The full discovery is documented in this blog.