Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Authentication Vulnerability in Azure Active Directory

A key benefit of the federated identity management systems provided by cloud service providers like Google and Microsoft is the ability to authenticate to cloud applications without having to maintain credentials on all of them. To do this, the identity provider - in the case of Microsoft, this is Azure Active Directory - authenticates the user once, and then the user allows the relying party to obtain an authentication token from the identity provider.

This process involves the use of RESTful API's to pass the necessary messages among the parties. When a web service requests authorization for a user from the identity provider, it does so by calling an API, but the operation is not synchronous - rather, it registers an API URL which the identity provider will, in turn, call back, and this will run code which completes the authentication or login process in the web service. This API is called a reply URL or callback URL. A lot of cloud services work this way, as do widely-used web sites such as newspapers and magazines which integrate with cloud identity providers.

Now, researchers at Secureworks Counter Threat Unit have discovered a vulnerability which allows threat actors to redirect these reply URL's, and receive the authorization tokens which they can then exchange for access tokens and, eventually, achieve a privilege escalation attack.

The vulnerability was first observed early this year in an Azure AD API used by Microsoft's Power Platform - a low-code application development framework - and worked via an abandoned reply URL. Secureworks reported it to Microsoft, who confirmed the vulnerability, assigned it a critical severity rating, and promptly removed the abandoned reply URL API. But the researchers asked themselves the obvious question: are there other abandoned reply URL API's in Azure AD applications which could be similarly exploited.

After developing a scanner which would search for abandoned reply URL values and confirm if they were available for registration, they had their answer: yes, there were. The exploit itself is quite involved, so I won't get into the details here; the Secureworks blog post does a good job of that. But the researchers found an abandoned Dynamics Data Integration app reply URL, associated with the Azure Traffic Manager profile, which was pre-consented and therefore required no additional consent to stage the attack.

The researchers reported the vulnerability to the Microsoft Security Response Center, who immediately investigated and released an update the following day. However, this entire saga illustrates the dangers posed by outdated and abandoned API's. It's important for developers and operations personnel not just to focus on deployment of new API's, but also to include a procedure for retirement of the old ones.

Counter Threat Unit Research Team, Power Platform Privilege Escalation, threat analysis, 24 August 2023 (updated 28 August 2023). Available online at https://www.secureworks.com/research/power-platform-privilege-escalation.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.