Microsoft has fixed an exploit in Azure Active Directory (AD) authentication. The vulnerability allowed intruders to escalate account privileges and control the entire account.
Organizations deploy Azure AD to control user access. Examples include providing the backend for Office 365 users or centralising authentication between on-prem and cloud-based environments.
nOAuth
The misconfiguration has been called nOAuth by Descope, the party that discovered the vulnerability. AD OAuth applications that use email claims to generate access tokens are at risk. The process for exploitation sounds as simple as it is worrisome. A threat actor’s Azure AD admin account need only have a target’s email address for reference to log into a vulnerable application. From then on, privileges can be escalated, including lateral movement within the affected environment.
In a blog, Descope identifies where things went wrong with Azure AD’s configuration. The email claim is mutable and does not require authentication to count as an identifier. Microsoft already discouraged users from using email for login, according to Descope.
Vulnerable
Descope does not name the targets by name, but speaks of “several major applications” that were exploited. This included a design app with millions of monthly users, a publicly traded customer experience company and a multi-cloud consulting firm. Administrators of vulnerable applications can turn to Descope’s “Suggested remediation steps” for help.
Given Azure AD’s massive market share within the identity and access management world (27.53 percent according to 6sense), such a vulnerability could potentially do a considerable amount of damage. However, Microsoft has already contacted vulnerable parties behind the scenes after it received word from Descope about the exploit on April 11.
Also read: Microsoft Bing penetrated through misconfiguration in Azure Active Directory