As businesses around the world move their digital infrastructure from self-hosted servers to cloudThey benefit from standardized, built-in security features from major cloud providers Microsoft. However, with riding on these systems, it may be possible Disastrous consequences If problems arise, large scale. Example: Security researcher Dirk-Jan Mollema recently stumbled upon A pair of vulnerabilities In Microsoft Azure’s Identity and Access Management Platform, a catastrophic acquisition of all Azure customer accounts could have been leveraged.
The system is called ENTRA ID, which stores the user identity, login access controls, applications, and subscription management tools for each Azure Cloud customer. Mollema delves into Entra ID security and publishes several studies on weaknesses in the system, formerly known as Azure Active Directory. But preparing exhibit At the Black Hat Security conference in Las Vegas in July, Mollema discovered two vulnerabilities he realized could be used to gain global administrator privileges – actually God’s model, and compromised every Entra ID directory or so-called “tenants.” This will expose almost all Entra ID tenants in the world to government cloud infrastructure, Molima said.
“I just stared at the screen. I was like, ‘No, this is not true.’ “It’s awful. I would say, as bad as possible. ”
“From my own tenant (my test tenant or even trial tenant), you can ask for these tokens and you can basically mimic other people in the tenant of anyone else,” Mollema added. “This means you can modify someone else’s configuration, create new and manage users in that tenant, and do whatever you want.”
Given the severity of the vulnerability, Mollema revealed his findings to the Microsoft Security Response Center on July 14, and the same day he discovered the flaws. Microsoft began investigating the results of the day and released a fix worldwide on July 17. The company confirmed to Mollema that the issue was identified by July 23 and implemented additional measures in August. Microsoft CVE was released For the September 4 vulnerability.
“As part of our security future plans, we quickly mitigated the newly identified issues and accelerated the remediation efforts used by the legacy protocol,” Tom Gallagher, vice president of engineering at Microsoft’s Security Response Center, told Wired in a statement. “We implemented code changes in fragile verification logic, tested fixes, and applied it in our cloud ecosystem.”
Gallagher said Microsoft found “no evidence of abuse” of the vulnerability during the investigation.
Both of these vulnerabilities involve legacy systems that still work in ENTRA ID. The first involves a type of Azure authentication token, Mollema, found to be called an Actor token, which is issued by a fuzzy Azure mechanism called “Access Control Services.” The actor token has some special system properties, and Mollema realizes that using it in conjunction with another vulnerability may be useful for attackers. Another bug is a major flaw in the historic Azure Active Directory application programming interface called “Graph”, which is used to facilitate access to data stored in Microsoft 365. Microsoft is transitioning to its successor user to its successor user Microsoft Graph for Azure Active Directory graphics, which data is used for Entra ID. This flaw is related to the failure of the Azure AD graph to correctly verify the access request being made by the Azure tenant, which can be operated so that the API accepts participant tokens from other other tenants that should be denied.
