The microsoft enta vulnerability can be disastrous
As companies around them The world has transformed its digital infrastructure over the past decade of self -hosted servers to the cloud, as they have benefited from the unified and integrated security features of the main cloud services providers such as Microsoft. But with a lot of riding on these systems, there can be possible serious consequences on a large scale if something wrong occurs. An example of this: Security researcher Dirk Jean Molima recently found a A pair of weaknesses On the Microsoft Azure and Eye Management Management Plastic platform that could have been used to exploit the largest AZURE customer accounts.
The system is known as Entra ID, and each of the Azzure Cloud customer user, controls of access to login, applications, and subscription management tools. Mollema has studied ID Entra Security in the depth and published multiple studies on system weaknesses, which were previously known as Azure Active Directory. But while preparing for present At the Black Hat Security Conference in Las Vegas in July, Molima discovered that two of the weaknesses he realized can be used to gain the privileges of the global official – the status of God mainly – and threatens all Entra ID, or what is known as the “tenant”. Mullima says this would have been almost achieved every newlyweds tenant in the world, perhaps, maybe government cloud infrastructure.
“I shouldn’t really happen,” says Mullima, who runs the Dutch security security security company. ” You are like, “no, this should not actually happen.” “It was very bad. Although it is bad, I would like to say.”
“From my tenants – my test tenant or even an experimental tenant – you can request these symbols and you can impersonate anyone else in a tenant’s tenant.” “This means that you can adjust the composition of others, create new users and officials in this tenant, and do anything you want.”
Given the seriousness of weakness, Molima revealed his findings at the Microsoft Security response center on July 14, on the same day that he discovered faults. Microsoft began investigating the results on that day and issued a world -class reform on July 17. The company Mollema confirmed that the problem was repaired by July 23 and implemented additional measures in August. Microsoft Cve released For weakness on September 4.
“We have alleviated the newly identified issue quickly, and we accelerated the ongoing treatment work to stop the use of this old protocol, as part of our safe future initiative,” Tom Gallagher, Vice President of the Microsoft Security Center for Microsoft, told Wire in a statement. “We have applied changing a symbol within the logic of weak health verification, and we tested the reform, and we applied it through our cloud environmental system.”
Gallaghar says Microsoft did not find “any evidence of abuse” of weakness during the investigation.
Both weaknesses are associated with the old systems that are still working within the Entra ID. The first includes a kind of AZURE MOLLEMA authentication icon, discovered as the distinctive symbols of the actresses issued by the mysterious Azure mechanism called “access control service”. The distinctive symbols of the representatives contain some of the special system characteristics that have realized mullma that can be useful for the attacker when combined with another twice. Another error was a major defect in the historical Azure Active Directory application, known as the “graph” that was used to facilitate access to data stored in Microsoft 365. Microsoft is in the process of retirement. Microsoft Graph, an ENTRA identifier designer. The defect was associated with the failure of the Azure AD chart to verify properly from the AZURE tenant, which was submitting a request, which could be treated until API accepted a representative of a different tenant who should have been rejected.