Unfixed Microsoft Entra ID Authentication Bypass Threatens Hybrid IDs

Researchers have found a way to manipulate the credential validation process in Microsoft Entra ID identity environments that they say attackers can use to bypass authentication in hybrid identity infrastructures.

The attack would require an adversary to have admin access on a server hosting a Pass-Through Authentication (PTA) agent, a component that allows users to sign in to cloud services using on-premises Microsoft Entra ID (formerly Azure Active Directory) credentials.

They can then use that access to log in as an Entra ID user across different on-premises domains without the need for separate authentication, researchers from Cymulate said in a report.

Turning PTA Into a Double-Agent

“This vulnerability effectively turns the PTA agent into a double agent, allowing attackers to log in as any synced AD user without knowing their actual password,” Cymulate security researcher Ilan Kalendarov wrote.

“This could potentially grant access to a global admin user if such privileges were assigned, regardless of their original synced AD domain,” and enable lateral movement to different on-premises domains.

Microsoft did not respond immediately to a Dark Reading request for comment. But according to Cymulate, Microsoft plans to fix code on its end to address the issue. However, the company also has described the attack technique as presenting only a medium-severity threat, the Israel-based security vendor said.

Related:Critical AWS Vulnerabilities Allow S3 Attack Bonanza

Earlier this month at Black Hat USA 2024, a security researcher at Semperis disclosed another issue with Entra ID that allowed attackers to access to an organization’s entire cloud environment.

Attackers are increasingly focusing on cloud identity services such as Entra ID, Okta, and Ping, because once they are able to compromise one of these providers, they have complete access to enterprise data in SaaS apps.

Read the rest of this article in Dark Reading.