Secureworks has released details of what it claims are flaws in how Azure Active Directory handles account credentials.
In a new study published on Tuesday, the security vendor said its Threat Unit (CTU) research team discovered issues in the company’s Pass-Through Authentication (PTA) platform. Azure that could potentially allow a remote attacker to create persistent remote access to Azure installations.
Designed to provide a single sign-on method for on-premises and Azure cloud applications, PTA allows an on-premises server to issue user certificates that will be valid across cloud and on-premises services through Active Directory.
According to CTU researchers, PTA contains a weakness in the way it handles these critical digital certificates. They discovered that an attacker who accessed one of the authentication servers could create custom agents capable of stealing PTA certificates and handling login requests.
By using a compromised administrator account, CTU researchers discovered that an attacker could easily access and export the valid certificate and private key that a PTA uses to validate itself to users during login attempts.
Once in place, fake agents would be able to accept login requests from users with incorrect passwords, deny requests from users with valid passwords and create a DoS attack, or operate normally and secretly collect user account credentials for use in future attacks.
What’s worse, the CTU team said, is that if an attacker were to create such a scenario, it would be extremely difficult for administrators to detect it, let alone remove it and prevent exploitation. later.
“Admins can remove PTAs from servers but cannot directly remove PTAs from the Azure SQL database. Agents can only be removed from the database by keeping them inactive for ten days, after which they are automatically deleted by Microsoft,” the CTU researchers explained. in the report.
“If a malicious actor actively uses a certificate associated with the compromised PTA, the agent never becomes inactive.”
Although Secureworks said it reported the issues to Microsoft in May, no fixes were introduced or security alerts issued. “CTU researchers shared their findings with Microsoft on May 10, 2022. Microsoft responded on July 2 that PTA was working as expected and provided no indication of plans to fix the reported flaws,” the report said.
According to Secureworks, this is because Microsoft does not view the issue as a real vulnerability, but rather as a matter of Azure Active Directory working as intended with PTA; Microsoft told the CTU team that access to the certificates needed to perform the attack would require the attacker to have already taken control of a server on the victim’s network and obtained administrative access.
TectTarget Editorial has contacted Microsoft for comment, but the company had not responded at press time.
The need for administrator access has already been cited by Microsoft in response to vulnerability reports. The reasoning is that, for an attacker to gain access to the component in question, the attacker must already have administrator access, which means there is little or no need to even perform an exploit.
While this can help admins effectively prioritize patches to install for flaws that pose the most immediate risk, it can also lead to overlooking lesser-severity bugs that can be chained together for a more serious compromise.