Photo credit: www.darkreading.com
At the ongoing Black Hat USA conference in Las Vegas, a potential security vulnerability has been highlighted concerning Microsoft’s Entra ID, which may offer hackers significant access to an organization’s cloud environment. The crux of the threat revolves around an attacker requiring pre-existing access to an admin-level account.
During a presentation at 4:20 p.m. local time today, Eric Woodruff, a senior cloud security architect at Semperis, is set to delve into how an individual with such access can exploit the multi-layered authentication mechanisms of Entra ID to achieve global administrator status.
Holding global administrator privileges enables an individual to manipulate any part of an organization’s cloud services. According to Woodruff, this level of access is akin to being a domain administrator, where one could gain entry to emails within Microsoft 365 and any application linked to Azure.
UnOAuthorized Access in the Cloud
Entra ID plays a pivotal role in managing and securing access within Microsoft 365 and Azure environments, as it oversees user roles and permissions across various cloud applications.
Within its framework, Entra ID identifies tenants, or organizations, with users, groups, and applications represented as “service principals,” which can be assigned various roles and permissions.
Woodruff’s investigation reveals a critical vulnerability where users with elevated Application Administrator or Cloud Application Administrator roles can assign credentials directly to a service principal. An attacker exploiting this loophole could masquerade as their intended application while interfacing with Entra ID.
Following this, the attacker could utilize the OAuth 2.0 client credential grant flow to convert credentials into tokens that provide access to crucial resources. Woodruff pointed out three application service principals that have the capacity to perform actions beyond their stated permissions:
1. In the enterprise social networking platform Viva Engage (previously Yammer), there exists the ability to permanently delete users, including Global Administrators.
2. The Microsoft Rights Management Service allows the addition of users.
3. The Device Registration Service permits elevation of privileges to achieve Global Administrator status.
Microsoft’s Security Response Center (MSRC) has classified these vulnerabilities with severity ratings ranging from medium to high.
Woodruff noted that the issue linked to the Device Registration Service carries more weight compared to the others. He articulated that typically, admin roles are delegated to individuals performing routine tasks within an organization, limiting their capacity for misuse. However, if they are cognizant of the vulnerabilities he identified, they might exploit these pathways to elevate their roles.
Dealing With Cloud Permissions
When Woodruff brought these findings to Microsoft’s attention, the company clarified that his actions were permissible due to concealed authentication mechanisms operating behind the scenes.
Seeking further clarification, Dark Reading contacted Microsoft for insights into how these hidden, layered authentication mechanisms function and their purpose.
Presently, Microsoft is addressing the vulnerability by implementing new controls that restrict the use of credentials on service principals. Consequently, any attempts at privilege escalation through the Device Registration Service now yield an error from Microsoft Graph.
There remains uncertainty regarding whether this vulnerability has been exploited in active scenarios. Woodruff recommends organizations review Entra ID audit logs or monitor for any residual attacker credentials. However, these methods are not foolproof, as logs have a predefined lifespan, and attackers can effectively hide their tracks.
Reflecting on his experience, Woodruff highlighted a concerning trend among organizations, noting that many maintain inadequate security measures around application administrators. He stated, “It’s common to see security breaches where attackers compromise help desk accounts, leading to escalated privileges within a domain.”
This recent discovery, while consistent with observed patterns, was still somewhat alarming. Woodruff commented, “It was surprising to realize that many organizations do not adequately safeguard their application administrators as they should.”
Source
www.darkreading.com