FB pixel

Microsoft Entra ID authentication security flaw threatens hybrid environments

Categories Access Control  |  Biometrics News
Microsoft Entra ID authentication security flaw threatens hybrid environments
 

A newly discovered vulnerability in Microsoft’s Entra ID (formerly Azure Active Directory) has exposed a critical threat to hybrid cloud environments. This flaw, identified by researchers from Cymulate, allows attackers to bypass authentication mechanisms in Pass-Through Authentication (PTA) systems used by organizations with hybrid identity infrastructures.

The vulnerability exploits the way PTA agents handle authentication requests across multiple on-premises Entra ID domains, Dark Reading reports. Normally, when a user tries to sign in, the PTA agent validates the credentials against the on-premises Entra. However, researchers found that if a login request is processed by an agent from a different domain, it results in authentication failure because the server doesn’t recognize the user. By injecting malicious code into the PTA agent, an attacker can manipulate this process to successfully validate credentials, effectively bypassing authentication and gaining unauthorized access to user accounts across different domains.

Selfie biometrics for authentication to Entra ID reached general availability just last week.

This vulnerability can be exploited by anyone with admin access to a PTA server, allowing them to log in as any user synced with Entra ID without needing their actual credentials.

Cymulate researchers disclosed in their blog that they initially reported the vulnerability to the Microsoft Security Response Center (MSRC) on July 5. Microsoft responded on July 19, downplaying the severity of the issue as “moderate” and stating that it doesn’t pose an immediate threat. Despite acknowledging the flaw, Microsoft informed Cymulate that it does not plan to issue a CVE (Common Vulnerabilities and Exposures) for this problem. However, it promises that a fix is planned and is already on their to-do list, though no estimated timeline for the resolution has been provided​.

The company has recommended treating PTA servers as Tier-0 components and enforcing strict security measures while they work on a fix. Cymulate has also suggested implementing domain-aware routing and stricter separation between domains to mitigate this risk.

Related Posts

Article Topics

 |   |   |   | 

Latest Biometrics News

 

Biometrics cycle from innovations to scale-up opportunities

Biometrics integrations range from the experimental to the everyday in the most-read articles of the week on Biometric Update. Yesterday’s…

 

US Justice developing AI use guidelines for law enforcement, civil rights

The US Department of Justice (DOJ) continues to advance draft guidelines for the use of AI and biometric tools like…

 

Airport authorities expand biometrics deployments with Thales, Idemia tech

Biometric deployments involving Thales, Idemia and Vision-Box, alongside agencies like the TSA,  highlight the aviation industry’s commitment to streamlining operations….

 

Age assurance laws for social media prove slippery

Age verification for social media remains a fluid issue across regions, as stakeholders argue their positions to courts and governments,…

 

ZeroBiometrics passes pioneering BixeLab biometric template protection test

ZeroBiometrics’ face biometrics software meets the specifications for template protection set out in the ISO/IEC 30136, according to a pioneering…

 

Apple patent filing aims for reuse of digital ID without sacrificing privacy

A patent filing from Apple for ensuring a presented reusable digital ID belongs to the person holding it via selfie…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events