Microsoft promptly removed the compromised, abandoned reply URL from the Azure AD application, effectively closing the avenue for unauthorized access.
Key Findings
- A critical vulnerability was found in Microsoft’s Power Platform API.
- The vulnerability involved an abandoned reply URL within the Azure Active Directory (AD) environment.
- The vulnerability could allow threat actors to gain unauthorized access to elevated permissions and control within an organization.
- Microsoft responded swiftly to the vulnerability report and removed the compromised abandoned reply URL within 24 hours.
- Organizations are urged to monitor their Azure AD applications for abandoned reply URLs to prevent similar attack scenarios.
Cybersecurity experts from Secureworks have revealed a critical vulnerability within Microsoft’s Power Platform, now known as Entra ID. The vulnerability, discovered early this year, involved an abandoned reply URL within the Azure Active Directory (AD) environment, granting unauthorized access to elevated permissions and control within an organization.
The abandoned reply URL was associated with an Azure AD application connected to Microsoft’s Power Platform, a popular low-code platform. Exploiting this vulnerability allowed threat actors to redirect authorization codes to themselves, thereby exchanging these codes for access tokens. By doing so, attackers could gain entry into the Power Platform API through a middle-tier service and attain elevated privileges, potentially leading to unauthorized access and misuse.
Secureworks researchers emphasized the significance of the Power Platform API, which provides users with the ability to manage environments, adjust environment settings, and analyze capacity consumption. Due to the extensive permissions associated with this API, it becomes an appealing target for malicious actors aiming to gain privileged access.
Through a proof of concept, Secureworks demonstrated how this vulnerability could lead to the elevation of privileges within the Power Platform API. While the researchers did not exploit this access further, they highlighted the potential for attackers with knowledge of the Power Platform admin API to develop additional attack scenarios. The vulnerability allowed Secureworks researchers to gain administrative privileges within the Power Platform API through the manipulation of tokens.
In response to the vulnerability report, Microsoft swiftly addressed the issue within 24 hours of notification from Secureworks. The tech giant promptly removed the compromised abandoned reply URL from the Azure AD application, effectively closing the avenue for unauthorized access.
Secureworks emphasized the importance of organizations monitoring their Azure AD applications for abandoned reply URLs to prevent similar attack scenarios. The vulnerability, though resolved, warns of the potential risks associated with improper management of application URLs within Azure AD environments.
RELATED NEWS
- Mirai botnet exploiting Azure OMIGOD vulnerabilities
- Microsoft Azure customer hit by 2.4 Tbps DDoS attack
- Microsoft warns of Azure vulnerability prompting data theft
- Researchers accessed keys of Azure’s Cosmos DB customers
- Sensitive source codes exposed in Microsoft Azure Blob account leak