Secureworks Discovers Vulnerability In Microsoft Identity Solution

security vulnerability Shutterstock - © Andy Dean Photography

Microsoft rushes fix after Secureworks researchers uncovered a vulnerability in Power Platform (now known as Entra ID)

Researchers at cybersecurity specialist Secureworks have uncovered a ‘vulnerability of critical severity’ in Microsoft’s Power Platform.

According to Secureworks, its researchers in early 2023 uncovered a vulnerability in Power Platform via Microsoft’s Azure AD (now known as Entra ID) environment.

This vulnerability concerned an abandoned reply URL related to the Microsoft Power Platform, that gave access to high level permissions and control in the organisation.

azure cloud

Critical vulnerability

Secureworks told Silicon UK that its researchers had demonstrated how the abandoned URL could allow a threat actor to gain privileged access on the Power Platform API via hijacking tokens of a privileged user.

The attacker could utilise the abandoned URL associated with the Power Platform application to redirect authorisation codes to themselves, exchanging the malicious authorisation codes for access tokens. =

This flaw allowed Secureworks researchers to gain administrative privileges towards the Power Platform API of any high privilege user who has existing single-sign-on session, and clicks the malicious link (abandoned URL).

Secureworks said the goal of its researchers was not to further abuse this privileged access but to demonstrate that privileged actions such as elevating applications to system administrator role and deleting environments was possible.

In this case, an attacker with malicious intent and adequate knowledge of the Power Platform admin API operations could likely develop additional scenarios, Secureworks warned.

The good news however is there has been no evidence that this vulnerability has been abused in the wild.

And Microsoft acted quickly and closed the vulnerability within 24 hours.

The security specialist said that while this vulnerability (reply URL takeover) was associated with an abandoned reply URL associated with the Power Platform application within Microsoft’s own environment, it is important to note that the same vulnerability could be found in any organisation’s internally managed Azure AD apps, or apps they offer their customers.

Abandoned URLs

“In this case we found the vulnerability in Microsoft’s own environment, but organisations need to be aware that abandoned reply URLs can be common in their own Azure AD environments and can easily be susceptible to a reply URL takeover,” said Joosua Santasalo, senior principal security researcher at Secureworks Counter Threat Unit.

“There is a possibility that any company could have the same vulnerability with a number of abandoned reply URLs, depending on what kind of delegated permissions the application had been enabled for,” said Santasalo. “This could be from profile reads, to having write access to Azure AD based on the Azure AD permissions of the underlying compromised object (user).

“While using Azure on the day to day, it is normal that URLs are abandoned due to personnel changes or projects ending,” said Santasalo. “It is therefore critical for organizations to regularly review and clean up their Azure AD environments for these URLs to best remediate against this.”

To help mitigate this threat, the Secureworks team is providing a tool for organisations to use. It can be found here.