Multiple privilege escalation issues in Microsoft Azure’s cloud-based Health Bot service exposed the platform to server-side request forgery (SSRF) and could allow access to cross-tenant resources.

The vulnerabilities, identified by Tenable Research, were quickly patched by Microsoft, but raise inherent concerns about chatbot risks, researchers warn.

With the Azure AI Health Bot Service, healthcare organizations can build their own virtual health assistants to interact with patients and manage administrative workloads. They can integrate all kinds of internal processes and information into those workloads, meaning the chatbots may have privileged access to highly sensitive health information.

“The risk to a customer of the health bot service depends entirely on the information they have made available to the service,” said Jimi Sebree, senior research engineer at Tenable.

Azure Chatbots and Cross-Tenant Access

If a malicious party had exploited the issues, it could have gained administrative rights to hundreds of resources belonging to other Azure customers, Tenable warned.

According to a blog post The bugs were released today and by exploiting them, researchers were able to gain access to the service’s internal metadata service (IMDS) and subsequently gain access to tokens that allowed them to manage resources across tenants.

“Based on the level of access granted, it is likely that lateral movement to other resources in customer environments would have been possible,” Sebree said. “This is common in cloud services like this, and safeguards are put in place to prevent cross-tenant access. The vulnerabilities discovered by Tenable Research are essentially bypasses of these safeguards.”

The researchers found that the problems endpoints within the Data connections feature that allows developers to integrate external APIs, including the endpoint that the Rapid Resources for Healthcare Interoperability (FHIR) Data exchange format.

In short, the attack involved configuring a data connection using a malicious remote host, and setting it to respond to all queries from the platform with 301 or 302 redirect codes indicating that the web page had been permanently moved. Those redirect responses were sent back to the IMDS, which in turn responded with metadata leaking the access tokens.

“It was easy to exploit these issues. No prior knowledge was required other than general use of the health bot service,” Sebree said.

Rushing AI development is risky

Sebree also explains that the vulnerabilities detailed in Tenable’s analysis for the health bot service illustrate the risks created by rushed development and deployment cycles of these interactive services.

“Companies should not prioritize being first to market as much as taking the time to ensure the safety of their products and their customers,” Sebree said.

According to the Tenable blog post, “The vulnerabilities raise concerns about how chatbots could be abused to reveal sensitive information. Specifically, the vulnerabilities were related to a flaw in the underlying architecture of the chatbot service, highlighting the importance of traditional web app and cloud security in the era of AI chatbots.”

This is especially important as the global healthcare industry, which is experiencing a transformative wave of digitalization and the adoption and integration of AI-driven applications, consistently a target of cybercriminals because of the extremely valuable personal information contain health records.

Fortunately, efforts are underway to strengthen healthcare security in the cloud and AI world and beyond. In May, the Advanced Research Projects Agency for Health (ARPA-H) announced that it was investing $50 million in its Upgrade Program to improve cybersecurity in healthcare through automation, allowing healthcare providers to focus more on patient care.

Healthcare providers and medical device manufacturers are also encouraged to Improve medical device data security through closer cooperation.