Azure blues: Active Directory Connect has password reset vuln

Attackers can dive out of the cloud to pwn admin passwords

Microsoft is warning sysadmins to check their Azure Active Directory Connect configurations and implement a patch against a credential-handling vulnerability.

The bug's in an Active Directory (AD) feature called password writeback. Azure AD can be configured to copy user passwords back to a local AD environment.

A convenience feature, password writeback is designed to simplify password resets, letting users change their local and cloud passwords simultaneously. It supports resets from Office365 and allows admins to push a reset from the Azure portal back to on-premises AD.

And if it's misconfigured, Microsoft writes, it can be vulnerable to attackers forcing resets to get access to a user's new password.

“When setting up the permission, an on-premises AD Administrator may have inadvertently granted Azure AD Connect with Reset Password permission over on-premises AD privileged accounts (including Enterprise and Domain Administrator accounts).”

A malicious cloud admin can therefore force resets of on-premises AD accounts – including those of admin-level users – and force the reset to a password of the attacker's choice. That would then get written back to the victim's local environment, and presto, the target's pwned.

Microsoft has patched the issue in this update to Azure AD Connect. ?


Biting the hand that feeds IT ? 1998–2017

  • 8207870 2018-01-20
  • 59213869 2018-01-20
  • 814434868 2018-01-20
  • 663393867 2018-01-20
  • 255500866 2018-01-20
  • 736756865 2018-01-20
  • 57893864 2018-01-20
  • 378982863 2018-01-20
  • 463182862 2018-01-20
  • 983878861 2018-01-20
  • 226305860 2018-01-20
  • 194376859 2018-01-20
  • 17410858 2018-01-20
  • 148249857 2018-01-20
  • 619862856 2018-01-20
  • 715860855 2018-01-20
  • 99290854 2018-01-20
  • 508353853 2018-01-19
  • 966152852 2018-01-19
  • 997753851 2018-01-19