Microsoft is warning customers of a bug in its Azure Active Directory Connect product that could allow an adversary to escalate privileges and reset passwords and gain unauthorized access to user accounts.
The advisory (4033453) was issued Tuesday via Microsoft’s TechNet website for the vulnerability which it rated “important.” The advisory includes ways to determine a company’s exposure to the vulnerable. Remediation includes upgrading to the latest version of Azure AD Connect (1.1.553.0).
Azure Active Directory Connect is Microsoft’s tool for monitoring the status of a network’s synchronization (federation) between a local (on premises) Active Directory and a cloud-based Azure Active Directory (Azure AD).
“The update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement,” according to the advisory. “An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts.”
Microsoft explains that the password writeback feature is a component of Azure AD Connect that allows users to configure Azure AD to write passwords back to their on-premises AD user accounts. “When setting up the permission, an on-premises AD Administrator may have inadvertently granted Azure AD Connect with Reset Password permission over on-premises AD privileged accounts (including Enterprise and Domain Administrator accounts),” it wrote.
The risk is presented if a malicious Azure AD Administrator resets the password of an on-premises AD user privileged account to a known password value using Password writeback. That could lead to a malicious Azure AD Administrator gaining privileged access to a customer’s on-premises Active Directory, Microsoft said.
Verifying exposure to the vulnerability includes checking if Password writeback is enabled and determining whether your Azure AD Connect server has been granted Reset Password permission over on-premises AD privileged accounts.
“If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups,” according to the advisory. The advisory details the steps in full, but recommends updating to the most recent version of Azure AD Connect to fix the vulnerability.
The Azure AD Connect vulnerability was assigned the CVE identifier CVE-2017-8613 .