A permissions flaw in Microsoft’s Azure AD Connect software could allow a rogue admin to escalate account privileges and gain unauthorized universal access within a company’s internal network.
Microsoft issued an advisory for the vulnerability. Affected are Office 365 customers running Microsoft’s Active Directory Domain Services in conjunction with Azure AD Connect software installed with the Express Settings, according to Preempt Security that first identified the vulnerability.
Microsoft didn’t release a patch to fix the bug, rather it made available a PowerShell script that adjusts the permissions of the Active Directory domain accounts to protect customers from the vulnerability. Microsoft also said future versions of affected software (after version 1.1.654.0) would not be impacted by this vulnerability.
“Before this release, the account was created with settings that allowed a user with password administrator rights the ability to change the password to a value know to them. This allowed you to sign in using this account, and this would constitute an elevation of privilege security breach. This release tightens the setting on the account that is created and removes this vulnerability,” Microsoft states.
The flaw allows trusted users with limited or temporary privileges within a domain, such as the ability to change passwords or add users to administrative groups, to escalate privileges, said Roman Blachman, CTO and co-founder of Preempt.
He said there are several scenarios where “stealthy admins” can elevate their access within a domain. One way is a rogue technical support operator (or “stealth admin”) could use their limited privilege of managing passwords to change the password of a domain administrator. They could then login as the domain administrator and configure their own profile with greater access to the company’s network.
“The flaw allows a support operator to replicate all of the domain passwords of every user and compromise any account in the domain and give themselves full administrator rights,” Blachman said. “So, this support operator could go from having limited access to making themselves a domain admin.”
In another attack scenario, a rogue admin with limited privileges of adding and removing users from administrative groups could simply add themselves to a group with more privileges.
To circumvent detection, Preempt said a stealthy admin would alternatively target the MSOnline (MSOL) PowerShell Module, part of Windows Azure Active Directory. “Such (service) accounts are often less monitored than full domain admins even though they have relatively high privileges,” researcher said.
“Imagine a help desk technician with permissions to reset non-admin passwords but no other domain admin privileges. Because the MSOL account is generated under the Built-in Users container, and the Built-in Account Operators group (e.g. helpdesk team) has permissions to reset passwords for the Built-in Users container, this gives the account operator full de facto access to domain passwords, as well as other elevated privileges (e.g. Domain Admin),” researcher wrote in a technical write up of the vulnerability posted.
Using the aforementioned technique, Blachman said, it is possible for an admin to escalate their privileges via the MSOL service account.
“Now the stealthy admin can log into Azure AD Connect and reconfigure the account so everything would work properly and no one would ever notice the changes to the account,” Blachman said.
“Microsoft acknowledged the issue and has released a Microsoft Security Advisory 4056318 and a PowerShell script that addresses the flaw by adjusting the permissions of the Active Directory domain accounts to modify properties of the AD DS synchronization account (MSOL),” Preempt said.