Vulnerability in Azure AD Connect Could Allow Elevation of Privilege

Password writeback is a component of Azure AD Connect. It allows users to configure Azure AD to write passwords back to their on-premises Active Directory. It provides a convenient cloud-based way for users to reset their on-premises passwords wherever they are. For information about password writeback, refer to Password writeback overview.

To enable Password writeback, Azure AD Connect must be granted Reset Password permission over the on-premises AD user accounts. When setting up the permission, an on-premises AD Administrator may have inadvertently granted Azure AD Connect with Reset Password permission over on-premises AD privileged accounts (including Enterprise and Domain Administrator accounts). For information about AD privileged user accounts, refer to Protected Accounts and Groups in Active Directory.

This configuration is not recommended because it allows a malicious Azure AD Administrator to reset the password of an arbitrary on-premises AD user privileged account to a known password value using Password writeback. This in turn allows the malicious Azure AD Administrator to gain privileged access to the customer’s on-premises AD.

See CVE-2017-8613 - Azure AD Connect Elevation of Privilege Vulnerability 

Suggested Actions

Verify if your organization is affected

This issue only affects customers who have enabled the Password writeback feature on Azure AD Connect. To determine if the feature is enabled:

  1. Login to your Azure AD Connect server.
  2. Start Azure AD Connect wizard (START → Azure AD Connect).
  3. On the Welcome screen, click Configure.
  4. On the Tasks screen, select View current configuration and click Next.
  5. Under Synchronization Settings, check if Password Writeback is enabled.

If Password writeback is enabled, evaluate whether your Azure AD Connect server has been granted Reset Password permission over on-premises AD privileged accounts. Azure AD Connect uses an AD DS account to synchronize changes with on-premises AD. The same AD DS account is used to perform password reset operation with on-premises AD. To identify which AD DS account is used:

  1. Login to your Azure AD Connect server.
  2. Start the Synchronization Service Manager (Start → Synchronization Service).
  3. Under the Connectors tab, select the on-premises AD connector and click Properties.

Mitigation steps

If you are unable to immediately upgrade to the latest “Azure AD Connect” version, consider the following options:

  • If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
  • If an on-premises AD administrator has previously created Control Access Rights on the adminSDHolder object for the AD DS account which permits Reset Password operation, consider removing it.
  • It may not always be possible to remove existing permissions granted to the AD DS account (for example, the AD DS account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback). Consider creating a DENY ACE on the adminSDHolder object which disallows the AD DS account with Reset Password permission. For information on how to create a DENY ACE using Windows DSACLS tool, refer to Modify the AdminSDHolder container.

AWS vs. Azure vs. GCP Storage Comparison

Cloud Based Storage Options:

  • Object Storage
  • Block Storage
  • Instance/Server Storage (Ephemeral)
  • Archival Storage
  • Content Delivery Networks
  • Queue Services
  • Database Services
  • Caching Services
  • Import/Export Services

AWS:

Amazon’s block storage service is called “Elastic Block Storage” (EBS) and supports three types of persistent disks: Magnetic, SSD and SSD with provisioned IOPS. Maximum volume sizes range from 1TB for magnetic disks, up to 16TB for SSD disks.

Object storage service is “Simple Storage Service” (S3), with four different SLAs: standard, standard - infrequent access, reduced redundancy and Glacier (for archiving). All data is stored in one availability zone, unless manually replicated across AZs or regions.

Azure:

Microsoft’s storage services are all referred to as Blobs. Page Blobs and Disks are Azure’s block storage service. Storage defined as standard (magnetic) or as Premium (SSD), with volumes of up to 1TB.

Offered in four different SLA levels: Locally redundant storage (LRS) where redundant copies of the data are stored within the same data center. Zone redundant storage (ZRS), where redundant copies are stored in different data centers within the same region; and geographically redundant storage (GRS) which performs LRS on two distant data centers, for the highest level of durability and availability.  

Google:

There are two options for either magnetic or SSD volumes; however the IOPS count is fixed. Ephemeral (local) disks are fully configurable and are part of the block storage offering.

Object storage is called Google Storage, and divided into three classes: Standard, Durable Reduced Availability for less critical data (similar to RRS in S3) and near line, which is for archives.

Physical Data Transport:

AWS

  • Import/Export Disk
  • Snowball

Azure

  • Import/Export Service

Google

  • Offline Media Import/Export (Third Party Tool)