Discovered: Two Major Vulnerabilities in Microsoft Azure’s Identity and Access Management System Pose Global Threat
In the past decade, businesses worldwide have migrated their digital infrastructure onto cloud platforms provided by tech giants like Microsoft. This shift has brought numerous benefits due to the standardized security features offered by these service providers. However, with so much at stake, a potential catastrophe can occur on an unprecedented scale if any problems arise. A recent discovery of vulnerabilities in Microsoft Azure’s identity and access management platform, Entra ID, underscores this risk.
Entra ID manages the user identities, sign-in permissions, applications, and subscription tools for each Azure cloud customer. Dutch cybersecurity expert Dirk-jan Mollema, who specializes in cloud security at Outsider Security, has extensively studied Entra ID’s security flaws. While preparing a presentation for the Black Hat security conference in Las Vegas in July, he uncovered two vulnerabilities that could have granted unauthorized global administrator privileges and compromised every Entra ID directory, also known as tenants. Mollema estimates that nearly every Entra ID tenant worldwide would have been vulnerable, except possibly government cloud infrastructure.
“I was in disbelief,” said Mollema. “I thought something like this shouldn’t happen.” He further explained that an attacker could impersonate any user from another tenant and manipulate their configurations, create new admin users, or perform any desired actions.
Realizing the severity of the issue, Mollema reported his findings to Microsoft Security Response Center on July 14, the same day he discovered the flaws. Microsoft began investigating immediately and rolled out a global fix by July 17. The company confirmed to Mollema that the issue was resolved by July 23 and took additional precautions in August. Microsoft assigned a CVE (Common Vulnerabilities and Exposures) number to the vulnerability on September 4.
Microsoft’s Vice President of Engineering for Security Response Center, Tom Gallagher, stated that the issue was promptly addressed: “We implemented a code change within the vulnerable validation logic, tested the fix, and applied it across our cloud ecosystem.” The company also found no evidence of malicious exploitation during its investigation.
Both vulnerabilities stemmed from legacy systems still operational within Entra ID. The first involved a specific type of Azure authentication token called Actor Tokens issued by an obscure Azure mechanism named the “Access Control Service.” Mollema discovered that these tokens, when combined with another vulnerability, could be exploited by attackers. The second bug was a significant flaw in the Azure Active Directory application programming interface (API) known as “Graph,” which facilitated access to data stored in Microsoft 365. Microsoft is currently phasing out Azure Active Directory Graph and transitioning users to its successor, Microsoft Graph, designed for Entra ID. The vulnerability was due to Azure AD Graph’s failure to properly validate the Azure tenant making an access request, which could be manipulated to accept an Actor Token from a different tenant that should have been rejected.
