Microsoft Entra ID authentication security flaw threatens hybrid environments

A newly discovered vulnerability in Microsoft’s Entra ID (formerly Azure Active Directory) has exposed a critical threat to hybrid cloud environments. This flaw, identified by researchers from Cymulate, allows attackers to bypass authentication mechanisms in Pass-Through Authentication (PTA) systems used by organizations with hybrid identity infrastructures.

The vulnerability exploits the way PTA agents handle authentication requests across multiple on-premises Entra ID domains, Dark Reading reports. Normally, when a user tries to sign in, the PTA agent validates the credentials against the on-premises Entra. However, researchers found that if a login request is processed by an agent from a different domain, it results in authentication failure because the server doesn’t recognize the user. By injecting malicious code into the PTA agent, an attacker can manipulate this process to successfully validate credentials, effectively bypassing authentication and gaining unauthorized access to user accounts across different domains.

Selfie biometrics for authentication to Entra ID reached general availability just last week.

This vulnerability can be exploited by anyone with admin access to a PTA server, allowing them to log in as any user synced with Entra ID without needing their actual credentials.

Cymulate researchers disclosed in their blog that they initially reported the vulnerability to the Microsoft Security Response Center (MSRC) on July 5. Microsoft responded on July 19, downplaying the severity of the issue as “moderate” and stating that it doesn’t pose an immediate threat. Despite acknowledging the flaw, Microsoft informed Cymulate that it does not plan to issue a CVE (Common Vulnerabilities and Exposures) for this problem. However, it promises that a fix is planned and is already on their to-do list, though no estimated timeline for the resolution has been provided​.

The company has recommended treating PTA servers as Tier-0 components and enforcing strict security measures while they work on a fix. Cymulate has also suggested implementing domain-aware routing and stricter separation between domains to mitigate this risk.

Article Topics

biometric authentication  |  cloud services  |  cybersecurity  |  identity access management (IAM)  |  Microsoft Entra