Azure blues: Active Directory Connect has password reset vuln

Microsoft is warning sysadmins to check their Azure Active Directory Connect configurations and implement a patch against a credential-handling vulnerability.

The bug’s in an Active Directory (AD) feature called password writeback. Azure AD can be configured to copy user passwords back to a local AD environment.

A convenience feature, password writeback is designed to simplify password resets, letting users change their local and cloud passwords simultaneously. It supports resets from Office365 and allows admins to push a reset from the Azure portal back to on-premises AD.

And if it’s misconfigured, Microsoft writes, it can be vulnerable to attackers forcing resets to get access to a user’s new password.

“When setting up the permission, an on-premises AD Administrator may have inadvertently granted Azure AD Connect with Reset Password permission over on-premises AD privileged accounts (including Enterprise and Domain Administrator accounts).”

A malicious cloud admin can therefore force resets of on-premises AD accounts – including those of admin-level users – and force the reset to a password of the attacker’s choice. That would then get written back to the victim’s local environment, and presto, the target’s pwned.

Microsoft has patched the issue in this update to Azure AD Connect.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s