Microsoft Will Mitigate Brute-Force Bug in Azure ADMicrosoft Sparred with SecureWorks Over Impact But Relents
Microsoft has indicated it will make changes to reduce the risk around what a security vendor says is a vulnerability that lets attackers run brute-force credential attacks against Azure Active Directory.
The issue was reported to Microsoft by SecureWorks on June 29 although at least one other researcher, Dirk-jan Mollema, reported it to Microsoft last year. SecureWorks issued a private security advisory on Sept. 24, according to Ars Technica, which first reported about it. SecureWorks published the content of that private advisory in a public blog post on Wednesday.
SecureWorks says there's a flaw in the protocol that is used as part of Azure Active Directory's Seamless Single Sign-On feature.
"This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory (Azure AD) without generating sign-in events in the targeted organization’s tenant," SecureWorks says.
An attack can be initiated remotely, says Nestori Syynimaa, who is a senior principal security researcher with the SecureWorks Counter Threat Unit. If a brute-force attack is successful, an attacker wouldn't be able to get access to an MFA-enabled account, but not all organizations have MFA enabled, he says.
The original @Secureworks's threat analysis report out nowhttps://t.co/Da8zmlkp82— Dr. Nestori Syynimaa (@DrAzureAD) September 29, 2021
I'm happy to answer to any questions regarding the technical details.
Shout-out to @SantasaloJoosua for finding the usernamemixed endpoint back in 2019! https://t.co/nPTTqnYKJh
Also, Azure AD will give a sign that the password is valid. That means that even if MFA is enabled, an attacker will get password confirmation, he says. If the password has been reused on other services, that poses an account takeover risk.
Microsoft had initially told SecureWorks that Azure AD was working by design. But Syynimaa says that company indicated on Wednesday night that it will make two technical changes that drastically reduce the risk. That's fortunate, as a proof-of-concept attack has emerged.
Targeting an Endpoint
The vulnerability is wrapped into a complex authentication flow using the Kerberos protocol. The flow is designed to allow someone who is logged into a domain-joined computer to automatically be logged into Azure AD, which is the cloud version of Active Directory. SecureWorks published a diagram, shown below, that shows the authentication flow for the windowstransport endpoint - which is not vulnerable - as an example.
A successful attack relies on taking advantage of an endpoint called "usernamemixed," according to SecureWorks' advisory. The existence of the endpoint was publicly noted two years ago in a blog post by Joosua Santasalo, a security researcher and Azure expert who is based in Finland.
Syynimaa says the vulnerability appears to have been reported to Microsoft by another entity in December 2020 and perhaps even prior.
According to Microsoft's documentation, the "usernamemixed" endpoint is intended for Exchange Online with Office clients older than the May 2015 update for Office 2013. Microsoft says "later clients use the passive adfsls endpoint."
Syynimaa says Microsoft plans to change Azure AD so that the "usernamemixed" endpoint is off by default, ensuring those that don't need it won't be put at inadvertent risk. Microsoft also says it will make sure that, even if that endpoint is turned on, login attempts will be logged, Syynimaa says. Researchers had reported differing outcomes as to whether those attempts were logged now.
Another backstop for those who need to have the "usernamemixed" endpoint turned on is Smart Lockout, which allow admins to set parameters for the number of login attempts and how long before someone can try again.
Overall, Syynimaa says Microsoft's moves show that it is taking the situation seriously despite initially pushing back.
"Clearly when you think that there's an endpoint that you can try to log in with multiple passwords and that's not logged - it's not good," Syynimaa says. "I like that they are going to do something about it. And that's making the world more safe. And that's what we all want to be."
Before indicating the changes, Microsoft told ISMG that any request for access tokens is protected by its Conditional Access regime, which can meter access depending on a variety of factors, as well as Azure AD's multifactor authentication and Identity Protection. It also says requests for access tokens would be "surfaced in sign-in logs."