Microsoft fixed an important privilege escalation vulnerability in Azure Active Directory (AD) Connect, tracked as CVE-2017-8613, that can be exploited by attackers to hijack the accounts of privileged users.

Azure Active Directory Connect allows organizations to integrate their on-premises identity infrastructure with Azure AD. The flaw resides in the Azure AD Connect feature “password writeback,” which allows users to easily reset their on-premises passwords by configuring Azure AD to write passwords back to the on-premises AD.

Microsoft warned of possible misconfiguration in the password writeback feature in the setup phase that could be abused by a malicious Azure AD administrator. A malicious Azure Active Directive administrator can set the password of an on-premises AD account belonging to a privileged user to a specific value in order to take over the account.

“Password writeback is a component of Azure AD Connect. It allows users to configure Azure AD to write passwords back to their on-premises Active Directory. It provides a convenient cloud-based way for users to reset their on-premises passwords wherever they are.” states the Microsoft security advisory.

“To enable Password writeback, Azure AD Connect must be granted Reset Password permission over the on-premises AD user accounts. When setting up the permission, an on-premises AD Administrator may have inadvertently granted Azure AD Connect with Reset Password permission over on-premises AD privileged accounts (including Enterprise and Domain Administrator accounts),” Microsoft explained in its advisory. “This configuration is not recommended because it allows a malicious Azure AD Administrator to reset the password of an arbitrary on-premises AD user privileged account to a known password value using Password writeback. This in turn allows the malicious Azure AD Administrator to gain privileged access to the customer’s on-premises AD.”

Microsoft solved the privilege escalation flaw by preventing password resets to privileged on-premises accounts.

Microsoft users can update their version to Azure Active Directory Connect 1.1.553.0 version. Users can also mitigate the issue by following the instructions provided by Microsoft.

Pierluigi Paganini

(Security Affairs – Azure Active Directory Connect, Privilege Escalation)