Microsoft has issued an update for Azure Active Directory (AD) Connect fixing a flaw that could lead to an elevation of privilege.
The vulnerability (CVE-2017-8613) comes into play if AD Connect Password writeback is misconfigured during enablement, Microsoft said in advisory 4033453. If exploited an attacker could potentially reset passwords gaining access to on-premise AD privileged user accounts. AD Connect version 1.1.553.0, which Microsoft recommends be uploaded immediately, eliminates this issue by not allowing arbitrary password resets to on-premises AD privileged user accounts.
Microsoft wrote that the new version Azure AD:
- Checks if the target on-premises AD account is a privileged account by validating the AD adminCount attribute. If the value is null or 0, Azure AD Connect concludes this is not a privileged account and permits the Password writeback request.
- If the value is not null or 0, Azure AD Connect concludes this is a privileged account. Next, it then validates whether the requesting user is the owner of the target on-premises AD account. It does so by checking the relationship between the target on-premises AD account and the Azure AD account of the requesting user in its Metaverse. If the requesting user is indeed the owner, Azure AD Connect permits the Password writeback request. Otherwise, the request is rejected.