Azure blues: Active Directory Connect has password reset vuln
Attackers can dive out of the cloud to pwn admin passwords
Microsoft is warning sysadmins to check their Azure Active Directory Connect configurations and implement a patch against a credential-handling vulnerability.
The bug's in an Active Directory (AD) feature called password writeback. Azure AD can be configured to copy user passwords back to a local AD environment.
A convenience feature, password writeback is designed to simplify password resets, letting users change their local and cloud passwords simultaneously. It supports resets from Office365 and allows admins to push a reset from the Azure portal back to on-premises AD.
And if it's misconfigured, Microsoft writes, it can be vulnerable to attackers forcing resets to get access to a user's new password.
“When setting up the permission, an on-premises AD Administrator may have inadvertently granted Azure AD Connect with Reset Password permission over on-premises AD privileged accounts (including Enterprise and Domain Administrator accounts).”
A malicious cloud admin can therefore force resets of on-premises AD accounts – including those of admin-level users – and force the reset to a password of the attacker's choice. That would then get written back to the victim's local environment, and presto, the target's pwned.
Microsoft has patched the issue in this update to Azure AD Connect. ®