A severe security vulnerability in Microsoft Entra ID, the company’s identity and access management service, has been uncovered, revealing that privileged users could potentially escalate their access to global administrator status. This flaw presents a serious threat to organizations’ cloud environments by allowing unauthorized control over critical resources.
Eric Woodruff, Senior Cloud Security Architect at Semperis, disclosed the issue at the recent Black Hat conference. The vulnerability enables users with admin-level access to exploit authentication mechanisms within Microsoft systems, granting them expansive global administrator privileges. Woodruff described the impact of this flaw, stating, “It’s like being a domain administrator in the cloud. As a global administrator, you can do anything: access people’s emails in Microsoft 365, and move into any application tied to Azure, among other actions.”
Understanding the Microsoft Entra ID Vulnerability
Entra ID is integral to managing and securing access across Microsoft 365 and Azure platforms. It utilizes “service principals” to represent users, groups, and applications, assigning them specific roles and permissions. The discovered vulnerability stems from a design flaw allowing users with roles such as Application Administrator or Cloud Application Administrator to directly assign credentials to a service principal. This flaw enables attackers to masquerade as the targeted application and gain unauthorized access using OAuth 2.0 client credentials.
Woodruff identified three critical vulnerable application service principals:
Viva Engage (formerly Yammer): Attackers could delete users, including Global Administrators.
Microsoft Rights Management Service: Attackers could improperly add users.
Device Registration Service: Attackers could elevate their privileges to Global Administrator status, the most critical of the issues identified.
Microsoft Security Response Center (MSRC) rated these vulnerabilities with medium, low, and high severity, respectively, with the Device Registration Service issue being the most critical.
Response and Mitigation
In response to this vulnerability, Microsoft has implemented new controls to restrict credential usage on service principals. Attempts to use the Device Registration Service for privilege escalation now trigger an error from Microsoft Graph, preventing unauthorized privilege increases and enhancing overall security.
Despite these measures, there is currently no concrete evidence that this flaw has been exploited in the wild. Organizations are encouraged to review their Entra ID audit logs for any signs of residual attacker credentials. However, detecting such activities can be challenging due to potential log expirations and efforts by attackers to conceal their actions.
Woodruff observed a concerning trend: “Many organizations have relatively lax security around application administrators. A compromised help desk account can lead to domain admin status due to privilege chains.” This observation underscores the broader issue of inadequate security practices for application administrators.
Conclusion
The discovery of the Microsoft Entra ID vulnerability highlights the critical need for robust security measures and ongoing monitoring of privileged accounts. As organizations increasingly depend on cloud services and identity management solutions, addressing such vulnerabilities and safeguarding against unauthorized access must be a top priority to maintain strong security protocols.
Related topics:
Why Hasn’t Sora Been Released Yet?