Microsoft Copilot Studio¤ËÀȼåÀ¡¢ÆâÉô¾ðÊó¤¬Ï³±Ì¤¹¤ë¶²¤ì¤¢¤ê
Tenable¤Ï8·î20Æü(Êƹñ»þ´Ö)¡¢¡ÖCritical SSRF vulnerability in Microsoft Copilot Studio¡×¤Ë¤ª¤¤¤Æ¡¢Microsoft Copilot Studio¤Ë¿¼¹ï¤ÊÀȼåÀ¤¬¤¢¤ë¤³¤È¤òÊó¹ð¤·¤¿¡£¤³¤ÎÀȼåÀ¤Ï¥µ¡¼¥Ð¥µ¥¤¥É¥ê¥¯¥¨¥¹¥È¥Õ¥©¡¼¥¸¥§¥ê¡¼(SSRF: Server-Side Request Forgery)¤È¤µ¤ì¡¢°ÍѤµ¤ì¤¿¾ì¹ç¤Ï¥µ¡¼¥Ó¥¹ÆâÉô¤Îµ¡Ì©¾ðÊó¤Ë¥¢¥¯¥»¥¹¤µ¤ì¤Æ¤·¤Þ¤¦²ÄǽÀ¤¬¤¢¤ë¡£
¡ûCopilot Studio¤ÎÀȼåÀ¡ÖCVE-2024-38206¡×¤Î³µÍ×
ȯ¸«¤µ¤ì¤¿¤³¤ÎÀȼåÀ¤Ï¡ÖCVE-2024-38206¡×¤È¤·¤ÆÆÃÄꤵ¤ì¤Æ¤¤¤ë¡£CVE-2024-38206¤Î¶¦ÄÌÀȼåÀɾ²Á¥·¥¹¥Æ¥à(CVSS: Common Vulnerability Scoring System)v3.1¤Î¥¹¥³¥¢ÃͤÏ8.5¤Èɾ²Á¤µ¤ì¤Æ¤ª¤ê¡¢¿¼¹ïÅ٤ϽÅÍ×(High)¤È°ÌÃ֤Ť±¤é¤ì¤Æ¤¤¤ë¡£¤¿¤À¤·Microsoft¤Îȯɽ¤Ç¤Ï¤³¤ÎÀȼåÀ¤¬°ÍѤµ¤ì¤ë²ÄǽÀ¤ÏÄ㤤¤ÈʬÀϤµ¤ì¤Æ¤¤¤ë(»²¹Í¡§¡ÖCVE-2024-38206 - Microsoft - Microsoft Copilot Studio Information Disclosure Vulnerability¡×)¡£
¤³¤Î·ç´Ù¤ò°ÍѤ¹¤ë¤³¤È¤Ç¥¤¥ó¥¹¥¿¥ó¥¹¥á¥¿¥Ç¡¼¥¿¥µ¡¼¥Ó¥¹(IMDS)¤äÆâÉô¤ÎCosmos DB¥¤¥ó¥¹¥¿¥ó¥¹¤Ê¤É¡¢Copilot Studio¤ÎÆâÉô¥¤¥ó¥Õ¥é¥¹¥È¥é¥¯¥Á¥ã¤Ë¥¢¥¯¥»¥¹¤Ç¤¤Æ¤·¤Þ¤¦¤³¤È¤¬³Îǧ¤µ¤ì¤Æ¤¤¤ë¡£HttpRequestAction(Copilot Studio¤ÎHTTP¥ê¥¯¥¨¥¹¥È)¤òÁàºî¤¹¤ë¤³¤È¤ÇÄ̾ï¤Ï¥¢¥¯¥»¥¹¤Ç¤¤Ê¤¤ÆâÉô¥ê¥½¡¼¥¹¤ËÀܳ¤µ¤ì¡¢µ¡Ì©À¤Î¹â¤¤¾ðÊó¤¬Àà¼è¤µ¤ì¤Æ¤·¤Þ¤¦¤³¤È¤¬Êó¹ð¤µ¤ì¤Æ¤¤¤ë¡£
¡ûMicrosoft¤¬Âбþ¤ò³«»Ï
Tenable¤ÏCopilot Studio¤Î¥¤¥ó¥Õ¥é¥¹¥È¥é¥¯¥Á¥ã¤¬Ê£¿ô¤Î¸ÜµÒ(¥Æ¥Ê¥ó¥È)´Ö¤Ç¶¦Í¤µ¤ì¤Æ¤¤¤ë²ÄǽÀ¤¬¤¢¤ë¤È¤·¡¢±Æ¶Á¤ò¼õ¤±¤ë¥¤¥ó¥Õ¥é¥¹¥È¥é¥¯¥Á¥ã¤Ë¤è¤Ã¤Æ¤Ï¡¢Èï³²¤¬³ÈÂ礹¤ë²ÄǽÀ¤¬¤¢¤ë¤È»ØŦ¤·¤Æ¤¤¤ë¡£¶ñÂÎŪ¤Ê±Æ¶Á¤ÎÄøÅÙ¤ÏÉÔÌÀ¤È¤µ¤ì¤Æ¤¤¤ë¤¬¡¢¥ê¥¹¥¯¤Î¹â¤Þ¤ê¤¬·üÇ°¤µ¤ì¤Æ¤¤¤ë¡£
ȯ¸«¤µ¤ì¤¿CVE-2024-38206¤Ï¤¹¤Ç¤ËMicrosoft¤ËÊó¹ð¤µ¤ì¤Æ¤ª¤ê¡¢Microsoft¤¬¤³¤ÎÀȼåÀ¤ò½¤Àµ¤¹¤ë¤¿¤á¤ÎÁ¼ÃÖ¤ò³«»Ï¤·¤¿¤ÈÅÁ¤¨¤é¤ì¤Æ¤¤¤ë¡£
¡ûCopilot Studio¤ÎÀȼåÀ¡ÖCVE-2024-38206¡×¤Î³µÍ×
ȯ¸«¤µ¤ì¤¿¤³¤ÎÀȼåÀ¤Ï¡ÖCVE-2024-38206¡×¤È¤·¤ÆÆÃÄꤵ¤ì¤Æ¤¤¤ë¡£CVE-2024-38206¤Î¶¦ÄÌÀȼåÀɾ²Á¥·¥¹¥Æ¥à(CVSS: Common Vulnerability Scoring System)v3.1¤Î¥¹¥³¥¢ÃͤÏ8.5¤Èɾ²Á¤µ¤ì¤Æ¤ª¤ê¡¢¿¼¹ïÅ٤ϽÅÍ×(High)¤È°ÌÃ֤Ť±¤é¤ì¤Æ¤¤¤ë¡£¤¿¤À¤·Microsoft¤Îȯɽ¤Ç¤Ï¤³¤ÎÀȼåÀ¤¬°ÍѤµ¤ì¤ë²ÄǽÀ¤ÏÄ㤤¤ÈʬÀϤµ¤ì¤Æ¤¤¤ë(»²¹Í¡§¡ÖCVE-2024-38206 - Microsoft - Microsoft Copilot Studio Information Disclosure Vulnerability¡×)¡£
¤³¤Î·ç´Ù¤ò°ÍѤ¹¤ë¤³¤È¤Ç¥¤¥ó¥¹¥¿¥ó¥¹¥á¥¿¥Ç¡¼¥¿¥µ¡¼¥Ó¥¹(IMDS)¤äÆâÉô¤ÎCosmos DB¥¤¥ó¥¹¥¿¥ó¥¹¤Ê¤É¡¢Copilot Studio¤ÎÆâÉô¥¤¥ó¥Õ¥é¥¹¥È¥é¥¯¥Á¥ã¤Ë¥¢¥¯¥»¥¹¤Ç¤¤Æ¤·¤Þ¤¦¤³¤È¤¬³Îǧ¤µ¤ì¤Æ¤¤¤ë¡£HttpRequestAction(Copilot Studio¤ÎHTTP¥ê¥¯¥¨¥¹¥È)¤òÁàºî¤¹¤ë¤³¤È¤ÇÄ̾ï¤Ï¥¢¥¯¥»¥¹¤Ç¤¤Ê¤¤ÆâÉô¥ê¥½¡¼¥¹¤ËÀܳ¤µ¤ì¡¢µ¡Ì©À¤Î¹â¤¤¾ðÊó¤¬Àà¼è¤µ¤ì¤Æ¤·¤Þ¤¦¤³¤È¤¬Êó¹ð¤µ¤ì¤Æ¤¤¤ë¡£
¡ûMicrosoft¤¬Âбþ¤ò³«»Ï
Tenable¤ÏCopilot Studio¤Î¥¤¥ó¥Õ¥é¥¹¥È¥é¥¯¥Á¥ã¤¬Ê£¿ô¤Î¸ÜµÒ(¥Æ¥Ê¥ó¥È)´Ö¤Ç¶¦Í¤µ¤ì¤Æ¤¤¤ë²ÄǽÀ¤¬¤¢¤ë¤È¤·¡¢±Æ¶Á¤ò¼õ¤±¤ë¥¤¥ó¥Õ¥é¥¹¥È¥é¥¯¥Á¥ã¤Ë¤è¤Ã¤Æ¤Ï¡¢Èï³²¤¬³ÈÂ礹¤ë²ÄǽÀ¤¬¤¢¤ë¤È»ØŦ¤·¤Æ¤¤¤ë¡£¶ñÂÎŪ¤Ê±Æ¶Á¤ÎÄøÅÙ¤ÏÉÔÌÀ¤È¤µ¤ì¤Æ¤¤¤ë¤¬¡¢¥ê¥¹¥¯¤Î¹â¤Þ¤ê¤¬·üÇ°¤µ¤ì¤Æ¤¤¤ë¡£
ȯ¸«¤µ¤ì¤¿CVE-2024-38206¤Ï¤¹¤Ç¤ËMicrosoft¤ËÊó¹ð¤µ¤ì¤Æ¤ª¤ê¡¢Microsoft¤¬¤³¤ÎÀȼåÀ¤ò½¤Àµ¤¹¤ë¤¿¤á¤ÎÁ¼ÃÖ¤ò³«»Ï¤·¤¿¤ÈÅÁ¤¨¤é¤ì¤Æ¤¤¤ë¡£
