Researchers have discovered a vulnerability in Microsoft Entra ID identity environments that could potentially allow attackers to bypass authentication within hybrid identity infrastructures. This vulnerability, identified by security researchers at Cymulate, involves manipulating the credential validation process in environments using Pass-Through Authentication (PTA) agents.
In a report published by Cymulate, the researchers detailed how an attacker with admin access to a server hosting a PTA agent could exploit this vulnerability to log in as an Entra ID user across different on-premises domains without the need for separate authentication. This effectively turns the PTA agent into a “double agent,” granting unauthorized access to synced AD user accounts and potentially even global admin privileges, regardless of their original domain.
Microsoft has acknowledged the issue and plans to address it with a code fix, though the company has categorized the severity of the threat as medium. This discovery comes on the heels of another security flaw disclosed at Black Hat USA 2024, which highlighted the risks associated with Entra ID privileged users potentially becoming global admins, thus compromising an organization’s entire cloud environment.
Attackers are increasingly targeting cloud identity services like Entra ID, Okta, and Ping because compromising these providers can offer direct access to enterprise data in SaaS applications. Cymulate’s proof-of-concept attack specifically targets Entra ID configurations where multiple on-premises domains are synced to a single Azure tenant, a common practice among organizations looking to streamline user access across different departments or simplify IT management for subsidiaries.
The vulnerability identified by Cymulate revolves around PTA agents mishandling authentication requests for different on-premises domains within a synchronized environment. When a user attempts to log in, the PTA agent may incorrectly retrieve credentials from a different domain, leading to authentication failures. By injecting a managed DLL into the PTA agent, attackers can manipulate the credential validation process, ultimately gaining unauthorized access as any user from any synced on-premises AD.
This attack vector only works if the attacker first gains local admin access to the PTA server, emphasizing the importance of implementing strict security controls, monitoring, and network isolation on such critical components. Microsoft recommends treating the PTA server as a Tier-0 component and implementing two-factor authentication for all synced users to enhance security posture.
To mitigate the risk posed by this vulnerability, Cymulate suggests that Microsoft implement domain-aware routing to ensure authentication requests are directed to the correct PTA agent. Additionally, establishing strict logical separation between different on-premises domains within the same tenant could help prevent unauthorized access and lateral movement across domains.
Overall, this discovery underscores the importance of proactive security measures in protecting hybrid identity infrastructures against evolving threats. By addressing vulnerabilities promptly and implementing robust security controls, organizations can enhance their resilience to potential attacks targeting cloud identity services like Microsoft Entra ID.