A significant security vulnerability has been uncovered in Microsoft Entra ID, allowing privileged users to escalate their access to global administrator status, which could give them full control over an organization’s cloud environment. This flaw was disclosed by Eric Woodruff, a Senior Cloud Security Architect at Semperis, during the Black Hat conference. The vulnerability stems from a design issue within Microsoft’s identity and access management service, where users with specific admin-level roles, such as Application Administrator or Cloud Application Administrator, can assign credentials directly to a service principal. This enables attackers to exploit OAuth 2.0 mechanisms to gain unauthorized access and elevate their privileges.
The risk associated with this vulnerability is particularly alarming because it allows an attacker with initial privileged access to potentially become a global administrator, a role with extensive control over cloud resources. Woodruff highlighted that this escalation could lead to attackers gaining access to sensitive areas, such as emails in Microsoft 365 or applications tied to Azure. The vulnerability was found in service principals for Viva Engage, Microsoft Rights Management Service, and the Device Registration Service, with the latter posing the most critical threat by allowing attackers to elevate their privileges to the highest level.
In response to this discovery, Microsoft has implemented new controls to mitigate the risk. These controls are designed to restrict the usage of credentials on service principals, preventing unauthorized privilege escalation. Specifically, attempts to use the Device Registration Service for this purpose will now trigger an error from Microsoft Graph, effectively blocking the escalation attempt. Despite these measures, the vulnerability underscores a broader concern within the security community: the need for more robust protection and monitoring of privileged accounts, which are often targeted by attackers seeking to escalate their access within an organization.
Woodruff’s findings also point to a common security gap in many organizations, where application administrators are not as rigorously secured as they should be. This lack of security around privileged roles creates a potential attack vector for threat actors. The revelation of this flaw serves as a reminder of the critical importance of continuous monitoring and stringent security practices, especially as organizations increasingly rely on cloud services and identity management solutions. To protect against similar vulnerabilities, organizations must prioritize securing privileged accounts and ensuring that their security protocols are robust enough to withstand sophisticated attacks.
Reference:
