In recent times, cybersecurity experts have unearthed a concerning privilege escalation vulnerability tied to abandoned Active Directory URLs, Azure, sending shockwaves through the cybersecurity community. This vulnerability has raised alarms as threat actors can exploit it to gain unauthorized access and escalate their privileges within Microsoft Power Platform API.

Understanding the Vulnerability

Certainly, at its core, this vulnerability primarily hinges on the discovery of abandoned Active Directory reply URLs. Furthermore, researchers have diligently scoured these digital trails to meticulously assess their potential for misuse, particularly in connection with Azure services.

During this thorough investigation, a particularly alarming discovery was made: an abandoned reply URL closely linked to the Dynamics Data Integration app. This app was specifically associated with the Azure Traffic Manager profile, hosted under the domain dataintegratorui[.]trafficmanager[.]net.

What makes this discovery even more concerning is that, since this app is a first-party Microsoft application, it doesn’t require any additional consent to initiate an attack. Normally, legitimate versions of the application use the get External Data API to proxy requests to a limited set of downstream APIs. The URL requested through getExternalData (https: //<middletierservice>/api/GetExternalData) contains three payload parameters – ‘url,’ ‘requestData,’ ‘requestType,’ and the requested token ‘audience.’ These components play a pivotal role in how the vulnerability is exploited.

Exploitation by Threat Actors

The threat actors have been quick to exploit these platforms by redirecting victims to malicious servers. Once victims visit these compromised URLs through the Azure AD, they inadvertently carry the authorization code in the URL, which the malicious server seizes and exchanges for access tokens. This manipulation allows the attackers to infiltrate systems and escalate their privileges.

Power Platform: A Tool at Risk

Microsoft’s Power Platform, renowned for its low-code tools designed to streamline processes and provide a wide array of solutions, has unexpectedly become the focal point of a vulnerability. An API linked to the platform inadvertently exposes opportunities for users to oversee environments, make adjustments to settings, and gain access to data concerning capacity consumption.

By capitalizing on the abandoned URL, malicious users can exploit Power Platform to their advantage. They can not only elevate their privileges but also misuse administrative capabilities, such as creating an application user with a system administrator role or even deleting an environment using an HTTP delete request.

Azure AD Graph API: A Limited Gateway

In the case of Azure AD Graph API access, threat actors using the middle-tier service face certain limitations. While they can access the system for read-only purposes, they are unable to make changes. This serves as a protective barrier, preventing malicious alterations to the system. Nevertheless, it doesn’t completely eliminate the risk, as threat actors can still amass critical information about the environment, potentially paving the way for future attacks.

Persistent Pre-Consent Challenge

Surprisingly, even after removing the first-party application, the problem persists. This is because the application has been pre-consented for all tenants, leaving a lingering security gap. Addressing this issue requires tackling access token issuance by disabling users’ sign-in abilities and curtailing the use of legitimate applications. For a more comprehensive understanding of this issue, Secure works has published an in-depth report.

Also Read: Virtual Patching: How it helps to protect against Vulnerabilities.

Conclusion

In conclusion, the discovery of the privilege escalation vulnerability linked to abandoned Active Directory URLs poses a significant threat to the security of Microsoft Power Platform. Threat actors can exploit this flaw to gain unauthorized access, and even though Microsoft has taken steps to patch these vulnerabilities, there are lingering challenges that users must address. It’s imperative for organizations to remain vigilant, stay informed about potential threats, and implement robust security measures to mitigate the risks associated with this vulnerability.

FAQs

1. What is the privilege escalation vulnerability in Microsoft Power Platform?
   This vulnerability allows threat actors to gain unauthorized access to Microsoft Power Platform by exploiting abandoned Active Directory reply URLs.
2. How can threat actors exploit the abandoned URL?
   Threat actors employ various tactics to redirect victims to malicious servers by exploiting compromised URLs. Consequently, unsuspecting victims inadvertently carry the authorization code within the URL. This code serves as a key that the malicious server leverages to illicitly acquire access tokens.
3. What risks does this vulnerability pose to Power Platform users?
   Users of Power Platform face the risk of unauthorized access, privilege escalation, and potential misuse of administrative capabilities.
4. What limitations do threat actors encounter when accessing Azure AD Graph API via the middle-tier service?
   Threat actors can only read information through Azure AD Graph API via the middle-tier service. They are unable to make changes to the system.
5. How can organizations address the pre-consent challenge associated with this vulnerability?
   Organizations can address the pre-consent challenge by disabling users’ sign-in abilities and limiting the use of legitimate applications, as outlined in the report by Secure works.