The best cybersecurity is only as good as its weakest point – and earlier this year, security researchers discovered a case of privilege escalation that was associated with a Microsoft Entra ID – formerly Azure Active Directory – application. In this case, it was something as simple as a seemingly abandoned URL that was used to redirect authorization codes to themselves where an attacker could exchange “ill-gotten authorization codes” for access tokens.
According to the Counter Threat Unit (CTU) Research Team at Secureworks, the threat actor could then call Power Platform API via a middle-tier service and obtain elevated privileges.
“CTU researchers reported the issue to Microsoft at the beginning of April 2023. Microsoft quickly confirmed privilege escalation was possible and assigned a critical severity rating. Within 24 hours of the CTU notification, Microsoft addressed the issue by removing the identified abandoned reply URL from the Azure AD application,” Secureworks announced in a post on its website last week, and then on Monday revealed additional details about limitations that would impact customers’ ability to mitigate this issue directly.
The researchers determined that even deleting the first-party app would not address this issue because the app is pre-consented for all tenants.
“An identified abandoned Dynamics Data Integration app reply URL was associated with the Azure Traffic Manager profile (dataintegratorui . trafficmanager . net),” the researchers also noted. “As with many first-party Microsoft applications, this application was pre-consented. As a result, no additional consent was required to stage the attack.”
The CTU researchers recommend monitoring for abandoned reply URLs.
Quite the Rebrand!
It was in July that Microsoft rebranded its Azure Active Directory to Microsoft Entra ID that was supposed to provide a range of security features, including single sign-on, multifactor authentication, and conditional access.
Microsoft had said Entra ID it could defend against 99.9% of cybersecurity attacks.
It is likely that there are always going to be vulnerabilities, and this one was quickly addressed via an update released a day after the researchers first made note of it.
“When researchers find such vulnerabilities, they only publish them after they already have alerted Microsoft,” technology industry analyst Roger Entner of Recon Analytics told ClearanceJobs. “Microsoft already fixed the vulnerability.”
The transition from Azure AD to Microsoft Entra ID will be finalized by the end of 2023, requiring no customer action, BleepingComputer reported.
Abandoned Reply URLs – A Serious Risk!
The CTU team further advised that keeping track of Azure AD applications’ reply URLs is important to avoid the attack described in this analysis. The researchers also said they had found no evidence that this issue has been abused as of this publication. However, as the identified application is managed by the vendor, organizations cannot mitigate this issue directly. As a result, for vendors, the only option would be deleting the service principal, which would nullify any legitimate use of the app.
Since the discovery of the exploit, Secureworks has also made available an open-source tool that other organizations can use to scan for abandoned reply URLs.
“This vulnerability showcases how identity has become the forefront of cybersecurity. While identity is pervasive and empowers employees, partners, and contractors to do their jobs efficiently, it can also be exploited to harm an organization,” explained Wade Ellery, field chief technology officer at data security provider Radiant Logic.
“Detecting abnormal activity related to identity data is crucial for an organization’s cybersecurity posture,” Ellery told ClearanceJobs via an email. “Quickly spotting changes in access privileges and having full visibility over user behavior can help IT teams make informed decisions and respond promptly to emerging threats. Adopting a holistic identity-first mindset will help organizations secure critical assets and optimize defenses.”