Users warned over Azure Active Directory authentication flaw

Researchers at Secureworks’ Counter Threat Unit (CTU) have warned of a new and potentially serious vulnerability affecting the pass-through authentication (PTA) hybrid identity authentication method used in Azure Active Directory (AD).

PTA is one of three authentication options used for hybrid identities in Azure AD, the others being password-hash synchronisation (PHS) and identity federation.

It is considered a good option for organisations that cannot or do not wish to synchronise password hashes to the cloud, or ironically those that need stronger authentication controls. When it comes to identity federation, which is usually implemented with the AD Federation Services (AD FS), PTA is often held to be more secure – AD FS was notably exploited in the SolarWinds attack.

PTA works by installing agents on on-premise servers, up to a maximum of 40 per tenant. When a user accesses a service using the Azure AD identity platform, such as Microsoft 365, and provides their credentials, Azure AD encrypts them and sends an authentication request to one of the agents, which decrypts these credentials, logs in with them, and returns the results to the user.

However, the CTU research team has now demonstrated a successful proof of concept (PoC) for an exploit that if left unchecked can be used by a threat actor to exploit the PTA’s core installation processes and steal the agent’s identity by exporting the certificate that it uses for certificate-based authentication (CBA).

With this certificate to hand, a threat actor can perform a number of malicious actions, as the CTU team explained in its disclosure notice.

“The compromised certificate can be used with the attacker-controlled PTA agent to create an undetectable backdoor, allowing threat actors to log in using invalid passwords, gather credentials and perform remote denial of service attacks,” said the team. “Attackers can renew the certificate when it expires to maintain persistence in the network for years. A compromised certificate cannot be revoked by an organisation’s administrators.”

However, having shared the research with Microsoft some months ago, Microsoft has insisted PTA is working as intended and has given no indication of any plans to address the vulnerability.

The Microsoft Security Response Center said: “Our team completed the assessment for this issue and we understand that the attack surface for this requires compromising a high security asset by gaining administrative access in the first place.

“If the customer followed our hardening guidance but the attacker still has access to the server that runs the PTA agent then they already had access to the user credentials, hence we believe this vulnerability in itself does not pose an additional risk.

“As a mitigation mechanism, we do have the ability to block agents on the server side based on customer escalations and furthermore we are looking into ways to improve our audit logs as an improved detection mechanism.”

Nevertheless, the Secureworks CTU is recommending Azure AD users perform the following actions to protect their tenants:

• Treat all on-premise hybrid identity components, including servers with PTA agents, as tier zero servers;
• Consider adopting alternative hybrid authentication methods, such as PHS or identity federation;
• Monitor for activity indicative of compromise, such as someone logging in with an incorrect password – this activity can be seen in the Azure AD portal, also via the beta version of the Microsoft Graph sign-ins report. If a potentially compromised PTA agent is seen, it can be invalidated by creating a support request in the Azure AD portal.
• Introduce multi-factor authentication to prevent cyber criminals exploiting a PTA agent.