free counter

Users warned over Azure Active Directory authentication flaw

Maksim Kabakou –

Secureworks researchers found what they state is really a serious vulnerability within an Azure Active Directory authentication method, but Microsoft says it will not pose a significant risk to users

Alex Scroxton


Published: 13 Sep 2022 14: 45

Researchers at Secureworks Counter Threat Unit (CTU) have warned of a fresh and potentially serious vulnerability affecting the pass-through authentication (PTA) hybrid identity authentication method found in Azure Active Directory (AD).

PTA is among three authentication options useful for hybrid identities within Azure AD, others being password-hash synchronisation (PHS) and identity federation.

It really is considered an excellent option for organisations that cannot or usually do not desire to synchronise password hashes to the cloud, or ironically the ones that need stronger authentication controls. With regards to identity federation, that is usually implemented with the AD Federation Services (AD FS), PTA is frequently held to become more secure AD FS was notably exploited in the SolarWinds attack.

PTA functions by installing agents on on-premises servers, up to maximum of 40 per tenant. Whenever a user accesses something utilizing the Azure AD identity platform, such as for example Microsoft 365, and their credentials, Azure AD encrypts them and sends an authentication request to 1 of the agents, which decrypts these credentials, logs in using them, and returns the outcomes to an individual.

However, the CTU research team has demonstrated an effective proof concept (PoC) for an exploit that when left unchecked, may be used by way of a threat actor to exploit the PTAs core installation processes and steal the agents identity by exporting the certificate that it uses for certificate-based authentication (CBA).

With this particular certificate at hand, a threat actor is capable of doing numerous malicious actions, because the CTU team explained within their disclosure notice.

The compromised certificate may be used with the attacker-controlled PTA agent to generate an undetectable backdoor, allowing threat actors to sign in using invalid passwords, gather credentials, and perform remote denial of service (DoS) attacks, said the team. Attackers can renew the certificate when it expires to keep persistence in the network for a long time. A compromised certificate can’t be revoked by an organisations administrators.

However, having shared their research with Microsoft some months ago, Microsoft has insisted PTA is working as intended and contains given no indication of any plans to handle the vulnerability.

The Microsoft Security Response Center (MSRC) said: We completed the assessment because of this issue and we recognize that the attack surface because of this requires compromising a higher security asset by gaining administrative access to begin with.

If the client followed our hardening guidance however the attacker still has usage of the server that runs the PTA agent they already had usage of an individual credentials, hence we believe this vulnerability alone will not pose yet another risk.

As a mitigation mechanism, we do have the opportunity to block agents on the server side predicated on customer escalations and moreover we are looking at methods to improve our audit logs being an improved detection mechanism.

Nevertheless, the Secureworks CTU is recommending Azure AD users perform the next actions to safeguard their tenants:

  • Treat all on-prem hybrid identity components, including servers with PTA agents, as tier zero servers;
  • Consider adopting alternative hybrid authentication methods, like PHS or identity federation;
  • Monitor for activity indicative of compromise, such as for example someone logging in having an incorrect password this activity is seen in the Azure AD portal, also via the beta version of the Microsoft Graph sign-ins report. In case a potentially compromised PTA agent sometimes appears, it could be invalidated by developing a support request in the Azure AD portal.
  • Introduce multi-factor authentication to avoid cyber criminals exploiting a PTA agent.

Read more on Identity and access management products

Read More

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker