Discovered: Potentially Cataclysmic Azure Vulnerabilities That Could Compromise Global Customer Accounts
In the past decade, businesses worldwide have transitioned their digital infrastructure to the cloud, relying on the standardized security features of providers like Microsoft. Yet, with such critical operations hinging on these systems, a significant breach could have catastrophic implications. A recent discovery by cybersecurity researcher Dirk-jan Mollema underscores this risk: he uncovered vulnerabilities in Microsoft Azure’s identity and access management platform, Entra ID, that could potentially grant attackers global administrator privileges, compromising nearly every Entra ID directory except for government cloud infrastructure.
Entra ID, the system that manages Azure cloud customers’ user identities, sign-in controls, applications, and subscription tools, was found to have these vulnerabilities. Mollema, who runs Outsider Security, a Dutch cybersecurity firm specializing in cloud security, conducted extensive research on Entra ID’s security weaknesses, which were formerly known as Azure Active Directory. During his preparation for the Black Hat security conference in Las Vegas in July, he discovered two vulnerabilities that, when combined, could have given attackers unlimited access to any Entra ID directory, also known as a “tenant.”
“I was taken aback,” Mollema said. “It was quite severe. As bad as it gets, I would say.”
With these tokens, an attacker could impersonate any user within another tenant, modify configurations, create new administrator accounts, and perform various actions at will.
Upon learning about the vulnerabilities on July 14, Mollema reported them to Microsoft’s Security Response Center. Microsoft initiated an investigation that day and issued a global fix for the flaws on July 17. The company confirmed to Mollema that the issue was resolved by July 23 and implemented additional measures in August. Microsoft assigned a CVE (Common Vulnerabilities and Exposures) number to the vulnerability on September 4.
Tom Gallagher, Microsoft’s Security Response Center vice president of engineering, stated, “We mitigated the newly identified issue quickly and accelerated the remediation work underway to decommission this legacy protocol usage, as part of our Secure Future Initiative.” Gallagher added that Microsoft found no evidence of abuse during its investigation.
Both vulnerabilities are associated with legacy systems still in operation within Entra ID. The first issue involves a specific type of Azure authentication token known as Actor Tokens issued by the Access Control Service. These tokens have unique properties that Mollema realized could be exploited by attackers when combined with another vulnerability. The second bug is a significant flaw in an Azure Active Directory application programming interface, or API, called “Graph,” which was used to access data stored in Microsoft 365. This API is being phased out and replaced with Microsoft Graph, designed for Entra ID. The flaw stems from the failure of Azure AD Graph to correctly identify the tenant making an access request, allowing the API to accept Actor Tokens from different tenants that should have been rejected.
