Secureworks reveals Azure Active Directory flaws

Secureworks published details on what it claims are flaws in the way Azure Active Directory handles account credentials.

In new research posted Tuesday, the security vendor said its Counter Threat Unit (CTU) research team discovered issues in Azure's pass-through authentication (PTA) platform that would potentially allow a remote attacker to create persistent remote access to Azure installations.

Designed to provide a single sign-on method for both on-premise and Azure cloud applications, PTA allows an on-premise server to issue user certificates that will be valid across both cloud and local services via Active Directory.

According to the CTU researchers, PTA contains a weakness in how it handles those critical digital certificates. They found that an attacker who gained access to one of the authentication servers could create custom agents to steal PTA certificates and handle login requests.

Using a compromised administrator account, CTU researchers found that an attacker could easily access and export the valid certificate and private key a PTA agent uses to validate itself to users during login attempts.

Once in place, the phony agents could accept login requests from users with incorrect passwords, deny requests from users with valid passwords and create a DoS attack, or function as normal and covertly harvest user account credentials for use in future attacks.

What's worse, the CTU team said, is that if an attacker were to create such a scenario, it would be extremely difficult for administrators to detect, let alone remove and prevent further exploitation.

"Administrators can remove PTA agents from servers but cannot directly remove PTA agents from the Azure SQL Database. Agents can only be removed from the database by keeping them inactive for ten days, after which they are automatically removed by Microsoft," the CTU researchers explained in the report.

"If a threat actor is actively using any certificate associated with the compromised PTA agent, the agent never becomes inactive."

While Secureworks said it reported the issues to Microsoft in May, no fix has been introduced nor have any security alerts been issued. "CTU researchers shared their findings with Microsoft on May 10, 2022. Microsoft responded on July 2 that PTA is working as intended and gave no indication of plans to address the reported flaws," the report said.

According to Secureworks, this is because Microsoft does not see the issue as a true vulnerability but rather a matter of Azure Active Directory working as intended with PTA. Microsoft told the CTU team that getting access to the certificates needed to perform the attack would require the attacker to have already taken over a server on the victim's network and achieve administrative access.

TectTarget Editorial contacted Microsoft for comment, but the company had not responded at press time.

The need for admin access has been previously cited by Microsoft in response to vulnerability reports. The reasoning is that for an attacker to get at the component in question, the attacker needs to already have administrator access, meaning there is little or no need to even perform an exploit.

While this can help administrators effectively prioritize which patches to install for flaws that pose the most immediate risk, it can also lead to overlooking lower-severity bugs that can be chained together for a more serious compromise.