Microsoft warned that the vulnerability in its cloud service allows you to confuse passwords

Microsoft strongly recommends system administrators of companies using Azure cloud service to configure cloud configuration and install a patch against a vulnerability that allows users to reset passwords without their knowledge.

VULNERABILITY IN MICROSOFT AZURE

A vulnerability has been identified in the Microsoft Azure Active Directory Connect cloud service that allows attackers to intercept passwords to local accounts, or rather, to install them without the knowledge of the owners of the accounts themselves. This was reported by the corporation itself.

Azure Active Directory (Azure AD) is a multi-user cloud directory and Microsoft Identity Management Service. It provides system administrators with the ability to give employees and business partners of the company access through a single sign-on to thousands of cloud-based SaaS applications - Office 365, Salesforce.com, DropBox and Concur.

Vulnerability lies in the function called "write-back passwords". It allows you to write Azure AD passwords back to the local directory to simplify the procedure for resetting the password and allow users to change local and cloud passwords at the same time. The feature allows you to reset passwords from the Office365 environment and also allows administrators to issue a command to reset the local password to the AD from the Azure portal.

Vulnerability in Azure AD Connect allows you to reset passwords without the knowledge of users

Microsoft recommends that you update Azure AD Connect to version 1.1.553.0.

In this version, requests to write down passwords to local privileged accounts are blocked, if the administrator requesting them is not the direct owner of the local account.

SO WHAT IS THE PROBLEM?

As indicated in the Microsoft security bulletin, if the writeback function of the password is incorrectly configured, the attackers have a hypothetical opportunity to intercept new passwords.

To activate the password entry function, Azure AD Connect must have permission to reset the password in the local AD user accounts. When you install this permission, a local AD user with administrative credentials may accidentally issue Azure AD Connect permission to reset the password to local privileged accounts, including the Enterprise and Domain Administrator levels.

"It is not recommended to use this configuration, because in this case the potentially malicious Azure AD administrator can reset passwords to arbitrary local privileged accounts to the known values ​​using a write-back password. This, in turn, allows the malicious administrator to gain privileged access to local user accounts, "Microsoft said.