The Security Risks of MCP Servers

> Servizi con un approccio integrato > Entry 925362

The backbone of modern AI systems is the Large Language Models (LLM). In isolation, however, LLMs have no utility beyond conversation. This changed with the introduction of the Model Context Protocol (MCP): MCP establishes the standard communication protocol for AI systems to connect with external systems. This has dramatically increased the capabilities of LLMs by allowing them to interface with virtually any software. With MCP servers, LLMs are no longer conversational chatbots confined to their training data, but full-fledged agents capable of acting autonomously on behalf of users. MCP has enabled AI agents, which now dominate the AI and software landscape. 

Image in image block

Figure 1 - Diagram showing a typical architecture of a system using an MCP server.

MCP servers function as a bridge between LLMs and external systems. At a high level, an AI application is first pre-configured with the ability to use trusted MCP servers. Upon connecting, the MCP Server provides the application the list of Tools available for use, descriptions of the Tools, and instructions for how and when to use them. The application’s underlying LLM serves as the decision maker, deciding when it will benefit from an MCP tool call. When the LLM decides to use an MCP Tool, it outputs a Tool request for the MCP Client to send to the MCP Server. The MCP Server authenticates and authorizes the request, executes the Tool, interacting with external services as needed, and returns the final response to the MCP Client. Lastly, the LLM uses the Tool response to continue completing its task. 

For the finer details, the MCP specification can be found here: https://modelcontextprotocol.io/specification

Threats and Mitigations

The end-to-end MCP client-server dataflow presents a unique threat model. When threat modeling an AI system using an MCP Server, it is crucial to consider the non-deterministic nature of AI. Below we consider the threats and mitigations of a basic system with two components: an AI Application communicating with an MCP Server. 

AI Application

Threat

Mitigations

Indirect Prompt Injection
AI model inadvertently treats data returned by the MCP server as instructions which an attacker exploits to hijack the AI model

  • Prompt engineering: Ensure the system prompt instructs to model to not treat data as instructions
  • AI guardrails: Architect the system with safety layers that continuously monitor and verify the AI model’s inputs and outputs

Direct Prompt Injection
MCP server is compromised and an attacker causes it to respond with malicious instructions, hijacking the AI model

Unintended Tool Execution
AI model calls an MCP tool without the user’s intent or knowledge (e.g. a dangerous mutating tool)

  • Human-in-the-loop: Require human approval for dangerous tool calls
  • Tool allowlisting: Restrict the MCP tools that the LLM is allowed to call

Insecure MCP Response Handling
Malicious MCP response flows into unsafe sinks (e.g. command executions, filesystem writes, network calls, etc.)

  • Input validation: Restrict allowed inputs to only what is expected
  • Input sanitization: Escape and encode dangerous control characters like “&”

Context Window Poisoning
An MCP response poisons the AI agent’s memory or its other sources

  • HMAC signing: Sign each entry and verify the signature before use
  • Distrust MCP responses: Avoid storing data from MCP responses

MCP Server Spoofing
The application unknowingly communicates with an attacker-controlled MCP server

  • mTLS: Require Mutual TLS with short-lived certificates to authenticate the server
  • Network segmentation: Restrict allowed network communications to only trusted destinations
```html
MCP Server
Threat Mitigations
Confused Deputy
An attacker manipulates the MCP Server to perform actions using the server’s elevated privileges rather than their own limited privileges
  • Client authorization: Authorize each client individually and separate from the server’s identity
  • Continuous verification: Re-verify the client’s authorization for every request and at each step of the delegation chain
Excessive Capabilities
An MCP Tool accesses resources or performs operations on behalf of the user that the user by themself lacks the permissions to do
  • Strict authorization: Execute code only within the user’s own authorization context
  • Tool authorization: Restrict the advertised tools list based on the user’s permission level
Improper Access Controls
An attacker gains access to sensitive data or operations due to insufficient access controls
  • Authenticate users: Verify user identity with access tokens like API keys
  • Authorize access: Verify all resource access through an ACL
Insecure Input Handling
Untrusted user input may flow into unsafe sinks and result in a variety of injection attacks (e.g. SQLi, IDOR, RCE, etc.)
  • Input validation: Restrict allowed inputs to only what is expected
  • Input sanitization: Escape and encode dangerous control characters like “&”
Insecure Configuration
A misconfigured server introduces a variety of vulnerabilities
  • Continuous scanning: Configure periodic scans on the code and server to identify known vulnerabilities
  • Principle of least privilege: Limit the service user’s OS privileges to the minimum needed to function
Logo

More Information

Discover how cyber experts like Philip Salire Security Engineer and author of this article, can help secure your organization with AI Security Services. Fill out the form, and we’ll contact you within one business day.

Perché scegliere Bureau Veritas Cybersecurity?

Bureau Veritas Cybersecurity è il vostro partner esperto in materia di sicurezza informatica. Aiutiamo le organizzazioni a identificare i rischi, rafforzare le difese e conformarsi agli standard e alle normative in materia di sicurezza informatica. I nostri servizi riguardano persone, processi e tecnologie, dalla formazione sulla consapevolezza e l'ingegneria sociale alla consulenza sulla sicurezza, la conformità e i test di penetrazione.

Operiamo in ambienti IT, OT e IoT, supportando sia i sistemi digitali che i prodotti connessi. Con oltre 300 professionisti della sicurezza informatica in tutto il mondo, uniamo una profonda competenza tecnica a una presenza globale. Bureau Veritas Cybersecurity fa parte del Bureau Veritas Group, leader mondiale nel settore dei test, delle ispezioni e delle certificazioni.