Cybersecurity researchers have disclosed particulars of a now-patched vulnerability impacting the Microsoft SharePoint connector on Energy Platform that, if efficiently exploited, may enable menace actors to reap a consumer’s credentials and stage follow-on assaults.
This might manifest within the type of post-exploitation actions that enable the attacker to ship requests to the SharePoint API on behalf of the impersonated consumer, enabling unauthorized entry to delicate knowledge, Zenity Labs stated in a report shared with The Hacker Information forward of publication.
“This vulnerability might be exploited throughout Energy Automate, Energy Apps, Copilot Studio, and Copilot 365, which considerably broadens the scope of potential harm,” senior safety researcher Dmitry Lozovoy stated.
“It will increase the chance of a profitable assault, permitting hackers to focus on a number of interconnected companies inside the Energy Platform ecosystem.”
Following accountable disclosure in September 2024, Microsoft addressed the safety gap, assessed with an “Essential” severity evaluation, as of December 13.
Microsoft Energy Platform is a group of low-code growth instruments that enable customers to facilitate analytics, course of automation, and data-driven productiveness functions.
The vulnerability, at its core, is an occasion of server-side request forgery (SSRF) stemming from the usage of the “customized worth” performance inside the SharePoint connector that allows an attacker to insert their very own URLs as a part of a movement.
Nevertheless, to ensure that the assault to achieve success, the rogue consumer might want to have an Surroundings Maker function and the Primary Consumer function in Energy Platform. This additionally implies that they would wish to first achieve entry to a goal group by means of different means and purchase these roles.
“With the Surroundings Maker function, they’ll create and share malicious sources like apps and flows,” Zenity advised The Hacker Information. “The Primary Consumer function permits them to run apps and work together with sources they personal in Energy Platform. If the attacker does not have already got these roles, they would wish to realize them first.”
In a hypothetical assault state of affairs, a menace actor may create a movement for a SharePoint motion and share it with a low-privileged consumer (learn sufferer), leading to a leak of their SharePoint JWT entry token.
Armed with this captured token, the attacker may ship requests outdoors of the Energy Platform on behalf of the consumer to whom entry was granted to.
That is not all. The vulnerability may very well be prolonged additional to different companies like Energy Apps and Copilot Studio by making a seemingly benign Canvas app or a Copilot agent to reap a consumer’s token, and escalate entry additional.
“You’ll be able to take this even additional by embedding the Canvas app right into a Groups channel, for instance,” Zenity famous. “As soon as customers work together with the app in Groups, you’ll be able to harvest their tokens simply as simply, increasing your attain throughout the group and making the assault much more widespread.”
“The primary takeaway is that the interconnected nature of Energy Platform companies can lead to critical safety dangers, particularly given the widespread use of the SharePoint connector, which is the place a whole lot of delicate company knowledge is housed, and it may be difficult to make sure correct entry rights are maintained all through numerous environments.”
The event comes as Binary Safety detailed three SSRF vulnerabilities in Azure DevOps that would have been abused to speak with the metadata API endpoints, thereby allowing an attacker to glean details about the machine’s configuration.