A Privilege Escalation issue has been fixed in Microsoft Azure AD Connect

  • 230
  •  
  •  
  •  
  •  
  •  
  •  
    230
    Shares

Azure AD Connect is a tool and guided experience for connecting on premises identity infrastructure to Microsoft Azure AD. The wizard deploys and configures pre-requisites and components required for the connection, including sync and sign on.

Microsoft explains the issue (CVE identifier CVE-2017-8613 ) and said that the password writeback feature may not be configured properly during enablement. Writeback is a component of Azure Active Directory Connect that lets users configure Azure AD to write passwords back to their on-premises AD user accounts. It gives a convenient cloud-based way for users to reset their on-premises passwords wherever they are.

“To enable Password writeback, Azure AD Connect must be granted Reset Password permission over the on-premises AD user accounts. When setting up the permission, an on-premises AD Administrator may have inadvertently granted Azure AD Connect with Reset Password permission over on-premises AD privileged accounts (including Enterprise and Domain Administrator accounts). “

This configuration is not recommended from Microsoft because it enables a malicious Azure Active Directory Administrator to reset the password of an arbitrary on-premises AD user privileged account to a known password value using Password writeback. This will enable the malicious Azure AD Administrator to obtain privileged access to the customer’s on-premises AD.

“The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.”

The following two tabs change content below.
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Do NOT follow this link or you will be banned from the site!