Azure: Password Reset Vulnerability in AD Connect
Microsoft is warning sysadmins to check their Azure Active Directory Connect configurations and implement a patch against a credential-handling vulnerability.
Microsoft Azure AD (Active Directory) is often used by enterprises to provide employees and business partners single sign-on access to cloud SaaS Applications (e.g. Office365, DropBox, etc.). It can also be integrated with an organization’s existing Windows Server Active Directory, so that they can use existing on-premises identity solutions to manage access to cloud based SaaS applications.
The bug’s in an Active Directory (AD) feature called password writeback. Azure AD can be configured to copy user passwords back to a local AD environment.
A convenience feature, password writeback is designed to simplify password resets, letting users change their local and cloud passwords simultaneously. It supports resets from Office365 and allows admins to push a reset from the Azure portal back to on-premises AD.
A malicious cloud admin can therefore force resets of on-premises AD accounts – including those of admin-level users – and force the reset to a password of the attacker’s choice. That would then get written back to the victim’s local environment, and presto, the target’s pwned.
The hole has been plugged by Microsoft, and sysadmins just need to upgrade to the newest Azure AD Connect version: 1.1.553.0.