Cybersecurity researchers have disclosed particulars of a now-patched vulnerability impacting the Microsoft SharePoint connector on Power Platform that, if efficiently exploited, might enable risk actors to reap a consumer’s credentials and stage follow-on assaults.
This might manifest within the type of post-exploitation actions that enable the attacker to ship requests to the SharePoint API on behalf of the impersonated consumer, enabling unauthorized entry to delicate knowledge, Zenity Labs stated in a report shared with The Hacker Information forward of publication.
“This vulnerability will be exploited throughout Energy Automate, Energy Apps, Copilot Studio, and Copilot 365, which considerably broadens the scope of potential injury,” senior safety researcher Dmitry Lozovoy said.
“It will increase the chance of a profitable assault, permitting hackers to focus on a number of interconnected companies throughout the Energy Platform ecosystem.”
Following accountable disclosure in September 2024, Microsoft addressed the safety gap, assessed with an “Necessary” severity evaluation, as of December 13. When reached for remark, Redmond confirmed that the problem is resolved.
Microsoft Energy Platform is a group of low-code improvement instruments that enable customers to facilitate analytics, course of automation, and data-driven productiveness functions.
The vulnerability, at its core, is an occasion of server-side request forgery (SSRF) stemming from using the “customized worth” performance throughout the SharePoint connector that allows an attacker to insert their very own URLs as a part of a stream.
Nonetheless, to ensure that the assault to achieve success, the rogue consumer might want to have an Environment Maker role and the Basic User role in Energy Platform. This additionally implies that they would want to first achieve entry to a goal group by way of different means and purchase these roles.
“With the Setting Maker position, they’ll create and share malicious sources like apps and flows,” Zenity advised The Hacker Information. “The Fundamental Person position permits them to run apps and work together with sources they personal in Energy Platform. If the attacker does not have already got these roles, they would want to achieve them first.”
In a hypothetical assault state of affairs, a risk actor might create a stream for a SharePoint motion and share it with a low-privileged consumer (learn sufferer), leading to a leak of their SharePoint JWT entry token.
Armed with this captured token, the attacker might ship requests exterior of the Energy Platform on behalf of the consumer to whom entry was granted to.
That is not all. The vulnerability may very well be prolonged additional to different companies like Energy Apps and Copilot Studio by making a seemingly benign Canvas app or a Copilot agent to reap a consumer’s token, and escalate entry additional.
“You possibly can take this even additional by embedding the Canvas app right into a Groups channel, for instance,” Zenity famous. “As soon as customers work together with the app in Groups, you possibly can harvest their tokens simply as simply, increasing your attain throughout the group and making the assault much more widespread.”
“The principle takeaway is that the interconnected nature of Energy Platform companies can lead to severe safety dangers, particularly given the widespread use of the SharePoint connector, which is the place loads of delicate company knowledge is housed, and it may be sophisticated to make sure correct entry rights are maintained all through numerous environments.”
The event comes as Binary Safety detailed three SSRF vulnerabilities in Azure DevOps that would have been abused to speak with the metadata API endpoints, thereby allowing an attacker to glean details about the machine’s configuration.
(The story was up to date after publication to incorporate a response from Microsoft.)
Source link