Microsoft Fixes Critical Vulnerabilities in Azure Identity System

A pair of critical vulnerabilities in Microsoft Azure’s identity management platform, known as Entra ID, were recently discovered by cybersecurity researcher Dirk-jan Mollema. The flaws had the potential to enable unauthorized access to all Azure customer accounts, raising alarms regarding the security of cloud infrastructure utilized by businesses globally.

Entra ID, which manages user identities and access controls for Azure cloud customers, was found to contain weaknesses that could lead to a complete takeover of a customer’s account. Mollema, who runs the Dutch cybersecurity firm Outsider Security, was preparing for a presentation at the Black Hat security conference in Las Vegas when he identified the vulnerabilities. He described the discovery as shocking, stating, “I was just staring at my screen. I was like, ‘No, this shouldn’t really happen.’”

The researcher explained that the vulnerabilities could allow an attacker to gain global administrator privileges, effectively giving them “god mode” access across all Entra ID directories, referred to as “tenants.” “From my own tenants—my test tenant or even a trial tenant—you could request these tokens and you could impersonate basically anybody else in anybody else’s tenant,” Mollema noted. This level of access could enable malicious actors to modify configurations or create new administrative users across multiple accounts.

Upon discovering the vulnerabilities on July 14, 2023, Mollema promptly reported his findings to the Microsoft Security Response Center. Microsoft initiated an investigation the same day and rolled out a fix globally by July 17, 2023. The company confirmed that the vulnerabilities were addressed by July 23, 2023, and implemented additional security measures in August. A Common Vulnerabilities and Exposures (CVE) identifier for the issue was issued on September 4, 2023.

Tom Gallagher, vice president of engineering at Microsoft’s Security Response Center, stated, “We mitigated the newly identified issue quickly, and accelerated the remediation work underway to decommission this legacy protocol usage, as part of our Secure Future Initiative.” He assured that there was “no evidence of abuse” of the vulnerabilities during the investigation.

Both vulnerabilities stem from legacy systems still operational within Entra ID. The first involved a type of Azure authentication token known as Actor Tokens, which Mollema identified as potentially exploitable. The second vulnerability was a significant flaw in the Azure Active Directory Graph application programming interface, which failed to properly validate access requests from Azure tenants.

Michael Bargury, Chief Technology Officer at security firm Zenity, emphasized the severity of the vulnerabilities, stating, “This is the most impactful vulnerability you can find in an identity provider, effectively allowing full compromise of any tenant of any customer.” He highlighted the potential fallout had these vulnerabilities been exploited by malicious hackers, referencing a previous incident involving the Chinese cyber espionage group known as Storm-0558. This group had compromised a cryptographic key that enabled unauthorized access to Microsoft’s cloud-based Outlook email systems, affecting U.S. government departments and prompting Microsoft to enhance its security measures.

Mollema expressed appreciation for Microsoft’s swift action in response to his findings but underscored that the vulnerabilities could have allowed attackers to achieve far more than what was witnessed during the Storm-0558 incident. “With the vulnerability, you could just add yourself as the highest privileged admin in the tenant, so then you have full access,” he explained. This level of access could have jeopardized any Microsoft service linked to Entra ID, including Azure, SharePoint, and Exchange.

The discovery and subsequent resolution of these vulnerabilities illustrate the ongoing challenges facing cloud security and the importance of proactive measures in safeguarding digital infrastructures. As organizations continue to transition to cloud-based systems, the security of identity management platforms like Entra ID remains critical to maintaining the integrity of user data and access controls.