New Azure Active Directory password brute-forcing flaw

guest · Sep 28, 2021

New Azure Active Directory password brute-forcing flaw has no fix
Microsoft says AD authentication responses are working as intended.
September 28, 2021
https://arstechnica.com/information...ctory-password-brute-forcing-flaw-has-no-fix/

Imagine having unlimited attempts to guess someone's username and password without getting caught. That would make an ideal scenario for a stealthy threat actor—leaving server admins with little to no visibility into the attacker's actions, let alone the possibility of blocking them.

A newly discovered bug in Microsoft Azure's Active Directory (AD) implementation allows just that: single-factor brute-forcing of a user's AD credentials. And, these attempts aren't logged on to the server.
Click to expand...

This month, Secureworks is alerting its customers to the flaw, according to a communication shared with Ars by a source.

Azure AD Seamless SSO service automatically signs users in to their corporate devices, connected to their workplace network. With Seamless SSO enabled, users won't have to type in their passwords, or typically even their usernames, to sign in to Azure AD.

"This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components," explains Microsoft.
Click to expand...

And this is where the flaw creeps in. Autologon attempts to authenticate the user to Azure AD based on the provided credentials. If the username and password are a match, authentication succeeds, and the Autologon service responds with XML output containing an authentication token, known as DesktopSSOToken, which is sent to Azure AD. If, however, the authentication fails, an error message is generated.

It is these error codes, some of which are not properly logged, that can aid an attacker in performing undetected brute-force attacks.
Click to expand...

As stated above, Microsoft seems to consider this a design choice, rather than a vulnerability. As such, it remains unclear if or when the flaw would be fixed, and organizations could remain vulnerable to stealthy brute-force attacks.
Click to expand...

guest · Sep 30, 2021

Microsoft Will Mitigate Brute-Force Bug in Azure AD
Microsoft Sparred with SecureWorks Over Impact But Relents
September 29, 2021
https://www.databreachtoday.com/microsoft-will-mitigate-brute-force-bug-in-azure-ad-a-17646

Microsoft has indicated it will make changes to reduce the risk around what a security vendor says is a vulnerability that lets attackers run brute-force credential attacks against Azure Active Directory.

The issue was reported to Microsoft by SecureWorks on June 29 although at least one other researcher, Dirk-jan Mollema, reported it to Microsoft last year. SecureWorks issued a private security advisory on Sept. 24, according to Ars Technica, which first reported about it. SecureWorks published the content of that private advisory in a public blog post on Wednesday.
Click to expand...

SecureWorks says there's a flaw in the protocol that is used as part of Azure Active Directory's Seamless Single Sign-On feature.

"This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory (Azure AD) without generating sign-in events in the targeted organization’s tenant," SecureWorks says.
Microsoft had initially told SecureWorks that Azure AD was working by design. But Syynimaa says that company indicated on Wednesday night that it will make two technical changes that drastically reduces the risk. That's fortunate, as a proof-of-concept attack has emerged.
Click to expand...

Overall, Syynimaa says Microsoft's moves show that it is taking the situation seriously despite initially pushing back.
Click to expand...

Log in or Sign up

New Azure Active Directory password brute-forcing flaw

guest Guest

guest Guest

Log in or Sign up

New Azure Active Directory password brute-forcing flaw

guest Guest

guest Guest

Useful Searches