Microsoft has published an important security advisory for Azure customers. A vulnerability in the Active Directory Connect (AD Connect) may allow escalation of privilege if exploited.
The vulnerability was discovered in the password-writeback component of Azure AD Connect, which allows users to reset the on-premises passwords from remote locations. If the password-writeback feature is misconfigured during setup, the feature can be exploited to allow an intruder to remotely reset passwords and gain access to on-premises, privileged accounts in the Active Directory.
When the password-writeback feature is enabled by the administrator, it may be misconfigured if Reset Password permission is inadvertently granted to AD privileged accounts, which may include Enterprise and Domain Administrator accounts. Should this occur, a network intruder may remotely change privileged account passwords and gain access to the on-premises Active Directory at the highest levels.
The vulnerability has been addressed in an update to the Azure AD Connect. The latest version blocks the misconfiguration, as it will no longer allow arbitrary password resets to on-premises privileged user accounts in the Active Directory.
Password-writeback is a convenient feature to enable for effective password management on an enterprise cloud system. It allows system administrators to enforce password reset policies without intervention, as the AD Connect password-writeback feature will automatically check whether a new password meets system requirements for history, complexity and other custom features when it is reset. The feature also uses the Azure Service Bus relay for communication, so that administrators are not required to open inbound firewall ports to enable the feature.
Users are advised to check the settings on the AD Connect password-writeback to verify whether or not privileged accounts are included in the group allowing remote Reset Password activity. The vulnerability may be corrected manually, by changing the access for privileged user accounts or by installing the latest version of AD Connect, in which the misconfiguration is no longer allowed.
In April, Microsoft published a list of Azure Active Directory vulnerabilities, which included five vulnerabilities ranging from low to medium severity. At the low end, users were recommended to eliminate unmanaged apps and to reduce the number of administrators, which was found to increase the attack surface. Weak authentication practices were found to be a medium-level threat to networks. The current vulnerability was rated ‘important’ by the Microsoft security team, meaning that it should be investigated and addressed as quickly as possible.