A newly discovered vulnerability in Microsoft Entra ID (formerly Azure Active Directory) has exposed a critical risk for organizations using hybrid identity infrastructures. Researchers from Cymulate have identified a flaw in the Pass-Through Authentication (PTA) process, which allows attackers with admin access to a PTA server to bypass authentication mechanisms. This vulnerability affects environments where multiple on-premises Active Directory domains are synced to a single Azure tenant, enabling attackers to log in as any synced user without needing their actual credentials.
The flaw arises from how PTA agents handle authentication requests from different on-premises domains. When a user attempts to sign in, the request is placed in a service queue and can be processed by any available PTA agent. Cymulate’s proof-of-concept attack demonstrates how an attacker can inject a malicious dynamic link library into the PTA agent. This manipulation allows the attacker to intercept and alter the credential validation process, effectively bypassing authentication checks and granting unauthorized access to user accounts across various domains.
Microsoft has rated this vulnerability as medium-severity, citing the requirement for attackers to first gain local admin access on the PTA server. While Microsoft plans to address the issue in future updates, the company has emphasized the need for organizations to treat PTA servers as Tier-0 components. This includes implementing stringent security controls, such as strict access management, enhanced monitoring, and network isolation, to mitigate the risk. However, many organizations do not currently adhere to these best practices, potentially leaving them vulnerable.
In response to the threat, Cymulate has recommended that Microsoft implement domain-aware routing to ensure that authentication requests are correctly directed to the appropriate PTA agent. Additionally, establishing strict logical separation between different on-premises domains within the same tenant could further enhance security. This vulnerability underscores the growing importance of securing hybrid identity environments, as attackers increasingly target cloud identity services to gain unauthorized access to enterprise systems and data.
Reference:
