Privilege Escalation issue within Azure AD Discovered By Silverfort

Silverfort has release findings on a privilege escalation issue located within the Microsoft Azure Active Directory. The Silverfort research team recently located a lapse in safeguards to certain user accounts within the Azure AD service, which could enable lower-level admins to become fully privileged ones.

With Azure Active Directory being a leading cloud Identity Provider, Microsoft quickly responded to this reported issue and rapidly patched the gap, mitigating the potential of future attacks using this technique. Nonetheless, in a time when privilege escalation attacks are persistent and incredibly risky, Silverfort hopes the wider security community can benefit from releasing the analysis and findings of this issue.

Overview:

  • Azure AD safeguards higher-privileged admin passwords by preventing lower-privileged admins from access to modifications of those with higher privileges.
  • Azure AD safeguard is applied when a user is set to ‘eligible’ or ‘active’.
  • Azure AD allows user accounts to be assigned as ‘future use’.
  • Silverfort found that for ‘future use’ accounts, the password safeguard did not apply.

This gap would allow for initial compromise, scanning of Azure AD to locate accounts which are schedule to become highly privileged admins in the future, allowing for password resets and privilege escalation.

You can read their findings here.

Leave a Reply

%d bloggers like this: