Cloud Security Flaw Could Have Led to Catastrophic Takeover of Azure Customer Accounts
As businesses around the world have transitioned their digital infrastructure from self-hosted servers to cloud services over the last decade, they’ve benefited from the standardized security features offered by major cloud providers like Microsoft. However, with so much riding on these systems, even small vulnerabilities can have disastrous consequences at a massive scale. A recent discovery by security researcher Dirk-jan Mollema highlights this risk, as he stumbled upon two significant flaws in Microsoft Azure’s identity and access management platform, Entra ID.
Vulnerabilities in Entra ID
Entra ID is the system used by Azure cloud customers to store their user identities, sign-in access controls, applications, and subscription management tools. Mollema has extensively studied the security of Entra ID and published multiple studies on its weaknesses. However, while preparing to present at the Black Hat security conference in Las Vegas in July, he discovered two vulnerabilities that could be exploited for a potentially catastrophic takeover of all Azure customer accounts.
The first vulnerability relates to a type of Azure authentication token known as Actor Tokens, which are issued by an obscure Azure mechanism called the Access Control Service. Mollema realized that when combined with another vulnerability, these tokens could be used to gain global administrator privileges – essentially granting god mode access to any Entra ID directory or tenant. The second bug is a major flaw in a historic Azure Active Directory application programming interface known as Graph, which was used to facilitate access to data stored in Microsoft 365.
Impact of the Vulnerabilities
If exploited by malicious hackers, these vulnerabilities could have led to a devastating takeover of all Azure customer accounts. Mollema emphasizes that this would have exposed nearly every Entra ID tenant in the world, except perhaps government cloud infrastructure. "From my own tenants – my test tenant or even a trial tenant – you could request these tokens and impersonate basically anybody else in anybody else’s tenant," Mollema explains. "That means you could modify other people’s configuration, create new admin users in that tenant, and do anything you would like."
Microsoft’s Response
Given the severity of the vulnerabilities, Mollema disclosed his findings to the Microsoft Security Response Center on July 14, the same day he discovered the flaws. Microsoft began investigating the findings immediately and issued a fix globally on July 17. The company confirmed that the issue was fixed by July 23 and implemented additional measures in August. Microsoft also issued a CVE (Common Vulnerabilities and Exposures) for the vulnerability on September 4.
Tom Gallagher, vice president of engineering at the Microsoft Security Response Center, stated, "We mitigated the newly identified issue quickly, and accelerated the remediation work underway to decommission this legacy protocol usage, as part of our Secure Future Initiative. We implemented a code change within the vulnerable validation logic, tested the fix, and applied it across our cloud ecosystem." Gallagher added that Microsoft found no evidence of abuse during its investigation.
Legacy Systems and Vulnerabilities
Both vulnerabilities relate to legacy systems still functioning within Entra ID. The first involves Actor Tokens, which are issued by the Access Control Service. Mollema realized that these tokens could be used to gain administrator privileges when combined with another vulnerability. The second bug is a major flaw in Azure Active Directory Graph, which was used to facilitate access to data stored in Microsoft 365.
Michael Bargury, CTO at security firm Zenity, emphasizes the severity of this vulnerability: "Microsoft built security controls around identity like conditional access and logs, but this internal impression token mechanism bypasses them all. This is the most impactful vulnerability you can find in an identity provider, effectively allowing full compromise of any tenant of any customer."
Previous Security Incidents
If malicious hackers had discovered or exploited these vulnerabilities, the fallout could have been devastating. As Bargury points out, we’ve seen similar consequences in the past. For example, Microsoft revealed in July 2023 that the Chinese cyber espionage group Storm-0558 had stolen a cryptographic key, allowing them to generate authentication tokens and access cloud-based Outlook email systems, including those belonging to US government departments.
Conducted over several months, a Microsoft postmortem on the Storm-0558 attack revealed multiple errors that led to the Chinese group slipping past cloud defenses. The security incident was one of a string of Microsoft issues around that time, motivating the company to launch its Secure Future Initiative, which expanded protections for cloud security systems and set more aggressive goals for responding to vulnerability disclosures and issuing patches.
Mollema’s Findings
Mollema emphasizes that his findings could have allowed malicious hackers to go even farther than they did in the 2023 incident. "With the vulnerability, you could just add yourself as the highest privileged admin in the tenant, so then you have full access," Mollema explains. Any Microsoft service "that you use EntraID to sign into, whether that be Azure, whether that be SharePoint, whether that be Exchange – that could have been compromised with this."
Conclusion
The recent discovery of vulnerabilities in Entra ID highlights the risks associated with relying on cloud services for digital infrastructure. While Microsoft’s response was prompt and effective in mitigating the issue, it serves as a reminder of the potential consequences of security flaws at a massive scale. As businesses continue to rely on cloud services, it’s essential to prioritize security measures and regularly review systems for vulnerabilities to prevent similar incidents in the future.
The Future of Cloud Security
In light of recent events, Microsoft has reaffirmed its commitment to securing cloud infrastructure through initiatives like the Secure Future Initiative. The company is actively working to retire legacy systems and transition users to more secure alternatives. As cloud security continues to evolve, it’s essential for businesses and organizations to stay informed about potential vulnerabilities and take proactive measures to protect their digital assets.
Implications for Businesses
The discovery of these vulnerabilities serves as a wake-up call for businesses relying on cloud services. It highlights the importance of prioritizing cloud security and regularly reviewing systems for potential risks. As more businesses move to the cloud, it’s essential to acknowledge the potential consequences of security flaws and take proactive steps to mitigate them.
In conclusion, the recent discovery of vulnerabilities in Entra ID underscores the need for robust cloud security measures. While Microsoft’s response was swift and effective, it serves as a reminder of the potential consequences of security flaws at a massive scale. As businesses continue to rely on cloud services, prioritizing security and regularly reviewing systems will be essential for preventing similar incidents in the future.
Recommendations
- Businesses relying on Azure cloud services should review their Entra ID configurations and ensure they are up-to-date with the latest security patches.
- Regularly monitor system logs and alerts for potential vulnerabilities or suspicious activity.
- Prioritize cloud security measures, such as multi-factor authentication and conditional access controls.
- Stay informed about potential security risks and vulnerabilities in cloud infrastructure.
By taking proactive steps to secure their digital assets, businesses can mitigate the risks associated with cloud services and ensure a more robust and resilient online presence.