SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

Major security flaw found in NHS chatbot service by Tenable

Thu, 22nd Aug 2024

Tenable has issued a warning about a high-severity flaw discovered in Microsoft's Azure Health Bot Service, a chatbot used by the NHS to access user and patient information. This chatbot is employed across various NHS services, including obtaining COVID-19 information and support and aiding in communications during rare patient diagnosis cases.

The newly identified vulnerability allows hackers to access sensitive patient information, gain control of management capabilities for numerous Azure customer resources, and exploit the chatbot's internal metadata service subsequently to gain access tokens. These findings were disclosed by Tenable, an exposure management company whose research team uncovered multiple privilege escalation issues in the Azure Health Bot service through server-side request forgery (SSRF).

These vulnerabilities enabled researchers to access the service's internal metadata service (IMDS) and obtain access tokens that could potentially grant management capabilities across multiple tenant resources. According to Tenable, exploiting these flaws could have serious consequences.

Jimi Sebree, Senior Staff Research Engineer at Tenable, said, "Based on the level of access granted, it's likely that lateral movement to other resources in customer environments would have been possible." 

Sebree elaborated on the nature of the vulnerabilities: "The vulnerabilities involved a flaw in the underlying architecture of the chatbot service, rather than the AI models themselves. This highlights the continued importance of traditional web application and cloud security mechanisms in this new age of AI-powered chatbots."

The Azure Health Bot Service is a cloud platform that allows healthcare professionals to deploy AI-powered virtual health assistants. Essentially, healthcare providers can create and deploy patient-facing chatbots to manage administrative workflows within their environments, which necessitates some level of access to sensitive patient data.

Upon identifying the issues, Tenable Research reported the vulnerabilities to Microsoft immediately due to the sensitive nature of the data at risk. Microsoft confirmed that mitigations for these issues have been applied to all affected services and regions, assuring that no customer action is required at this time.

Tenable's discovery of vulnerabilities in Microsoft's Azure Health Bot Service underscores the critical need for robust security measures in cloud-based healthcare solutions. As these systems handle sensitive patient data and provide essential services, maintaining stringent security protocols is vital to prevent unauthorized access and ensure data integrity.

Microsoft's swift response to these issues reflects the importance of ongoing vigilance and proactive management in safeguarding digital health platforms. This incident highlights the need for continuous improvement in security practices to protect healthcare providers and patients in an increasingly digital environment.

 

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X