Unfixed Microsoft Entra ID Authentication Bypass Threatens Hybrid IDs

Researchers have found a way to manipulate the credential validation process in Microsoft Entra ID identity environments that they say attackers can use to bypass authentication in hybrid identity infrastructures.

The attack would require an adversary to have admin access on a server hosting a Pass-Through Authentication (PTA) agent, a component that allows users to sign in to cloud services using on-premises Microsoft Entra ID (formerly Azure Active Directory) credentials. They can then use that access to log in as an Entra ID user across different on-premises domains without the need for separate authentication, researchers from Cymulate said in a report this week.

Turning PTA Into a Double-Agent

"This vulnerability effectively turns the PTA agent into a double agent, allowing attackers to log in as any synced AD user without knowing their actual password," Cymulate security researcher Ilan Kalendarov wrote. "This could potentially grant access to a global admin user if such privileges were assigned, regardless of their original synced AD domain," and enable lateral movement to different on-premises domains.

Microsoft did not respond immediately to a Dark Reading request for comment. But according to Cymulate, Microsoft plans to fix code on its end to address the issue. However, the company also has described the attack technique as presenting only a medium-severity threat, the Israel-based security vendor said.

Earlier this month at Black Hat USA 2024, a security researcher at Semperis disclosed another issue with Entra ID that allowed attackers to access to an organization's entire cloud environment. Attackers are increasingly focusing on cloud identity services such as Entra ID, Okta, and Ping, because once they are able to compromise one of these providers, they have complete access to enterprise data in SaaS apps.

Cymulate's proof-of-concept attack leverages what the company says is a vulnerability in Entra ID when syncing multiple on-premises domains to a single Azure tenant. It also works if an organization has synced one domain because the attacker would still be able to log in as any synced user from that domain. In comments to Dark Reading, Kalendarov says syncing multiple domains is a practice that organizations often use when streamlining user access across different departments, for example, or for simplifying IT management for companies with multiple subsidiaries. Syncing multiple on-premises domains to a single Azure tenant enables seamless collaboration between separate business units, he says.

Mishandling Requests

What Cymulate discovered is that in this configuration, PTA agents can sometimes mishandle authentication requests for different on-premises domains. The company's investigation showed that when a user attempts to sign in to Entra ID, the password validation request is put in a service queue and retrieved by any available PTA from across any of the synced on-premises domains.

Cymulate found that occasionally, a PTA agent would retrieve the username and password from a different on-premises domain and attempt to validate it against its own Windows Server AD. "This results in authentication failure because the server does not recognize the specific user," Kalendarov says. "It depends on which PTA agent gets the request first. However, within our testing and research, it was a fairly common occurrence."

Cymulate's POC leverages this particular issue. To prove how an attacker could abuse it, researchers first injected an unmanaged dynamic link library into the PTA agent. Once loaded, the managed DLL intercepts the ValidateCredential function responsible for checking user credentials at both the beginning and the end. By intercepting this function, the attacker can manipulate its result, always forcing it to return True, Cymulate found. "This means that even if we provide the credentials of a user from a different domain, the hook would return True," Cymulate said. "Thus, we would be able to log in as any user from any synced on-prem AD."

The attack works only if the attacker first gains local admin access on the PTA server, Kalendarov says. "In theory, there are attacks where you first get into the PTA server and copy the certificate, then create your own replicated server. The attack would work on that server as well."

Kalendarov says it's likely that Microsoft considers the threat as moderate because the attacker needs to gain local admin access first. Additionally, Microsoft recommended that organizations treat the server as a Tier-0 component, meaning they should implement the highest level of security controls, such as strict access management, enhanced monitoring, and network isolation. But the reality is that most companies do not treat it as a Tier-0 component, he says. Microsoft also recommended that organizations implement two-factor authentication for all synced users.

Cymulate itself has recommended that Microsoft implement domain-aware routing to ensure authentication requests are directed to the appropriate PTA agent. "Additionally, establishing strict logical separation between different on-premises domains within the same tenant may be beneficial," the company noted.