Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
Microsoft Security IT

This Microsoft Entra ID Vulnerability Could Have Been Catastrophic (wired.com) 31

Posted by msmash from the everyone-gets-admin-privileges dept.
Security researcher Dirk-jan Mollema discovered two vulnerabilities in Microsoft's Entra ID identity platform that could have granted attackers administrative access to virtually all Azure customer accounts worldwide. The flaws involved legacy authentication systems -- Actor Tokens issued by Azure's Access Control Service and a validation failure in the retiring Azure Active Directory Graph API.

Mollema reported the vulnerabilities to Microsoft on July 14. Microsoft released a global fix three days later and found no evidence of exploitation. The vulnerabilities would have allowed attackers to impersonate any user across any Azure tenant and access all Microsoft services using Entra ID authentication. Microsoft confirmed the fixes were fully implemented by July 23 and added additional security measures in August as part of its Secure Future Initiative. The company issued a CVE on September 4.

This Microsoft Entra ID Vulnerability Could Have Been Catastrophic More | Reply

This Microsoft Entra ID Vulnerability Could Have Been Catastrophic

Comments Filter:
  • "granted attackers administrative access" or the attackers did a good job cleaning up!

    • Re: (Score:2)

      by Viol8 ( 599362 )

      Could be way too many logs on multiple servers, some possibly in-memory rather than file based that they'd have to know about in order to wipe all trace of their activities. Or at least thats how a proper service provider would implement things, but then this is MS after all.

      • MS knew about it on July 14, the CVE came out on Sept 4. They were trying to save face.

      • Re: (Score:2)

        by Z00L00K ( 682162 )

        Even if you have logs you need to have someone able to process and interpret them.

        I'm just waiting for the day someone successfully makes an intrusion and then locks out everyone using Entra / Microsoft Accounts from their computers. If you can't log in anymore and you have bitlocker enabled on your hard drive then you'd lose everything.

    • Re: (Score:2, Troll)

      by DarkOx ( 621550 )

      It is easy to not find evidence of something if you don't look to hard.

      This is a case where even if there were IOCs and you found them the clean up would be nearly impossible. Think about their 'Shared Responsibility Model' and the implication here. If MS were acknowledge some kind of serious breach occurred in their core Entra-ID IAM platform...they'd either have to be able to be able to conclusively identify all the impacted subscriptions or every single one of their subscribers would have to kick off th

      • Re: (Score:2)

        by Bongo ( 13261 )

        I think you have a good point.

        It's yet another example of human systems which are affected by perverse incentives.

        I can't think of anyone in this situation who would want the truth to be known... if they have found evidence that this has been exploited.

        And after all, any security researcher or hacker would have been focusing on trying to find poor validation logic, amongst other things -- it's not some counterintuitive side channel.

        I really can't think of anyone who'd really want it to be known that this ha

        • Re: (Score:2)

          by Bongo ( 13261 )

          And just to be clear, I'm commenting on incentives and the relatively small number of people in positions of authority at a corporation or a client who would be in a position to make a decision to keep this quiet. I'm not talking about the average ethical person who just wants to do the right thing -- they may want to, but they'll be under pressure by the perverse incentive structure. And it's speculative whether there has been any actual breach or any wider impacts. It's just a scenario.

  • WTF is Entra ID (Score:3, Interesting)

    by PDXNerd ( 654900 ) on Friday September 19, 2025 @03:43AM (#65670028)

    I had to look this up, apparently Entra ID is an evolution of ADFS or Active Directory Federation in the cloud. I guess you get what you deserve if you're using Microsoft security products in the cloud. Also, Entra ID is a terrible name but AD is a terrible product so I guess its an evolution of the same terrible security issues.

    • I guess you get what you deserve if you're using Microsoft security products in the cloud.

      I guess you get what you deserve if you're using the cloud.

      There, FTFY.

    • Re: (Score:3)

      by fuzzyf ( 1129635 )
      They just renamed it. It's not an evolution of the product.
      Probably to distinguish it even further from regular on-prem AD.

    • They just been renaming their Azure-whatever to Entra-whatever and O365 to M365â¦. Who knows why, it is the same M$ oil tanker slop still but some marketing suit-n-tie probably thought it will make greedy investors happy because it sounds new and exciting, or whatever.

    • Re: (Score:1)

      by hjf ( 703092 )

      lol "entra" means in spanish "[it] enters" or "[can] enter".

      the service for "keeping unauthorized things out" is called "can enter"

    • Entra ID is AD with OpenID--ish instead of Kerberos--ish. Because Microsoft's early cloud architects decided that they needed to jettison Kerberos to move to the cloud, which was really dumb. Also sure the infrastructure team standing up all of those Linux boxes did not want to have to deal with LDAP config being a pre-condition to everything. They would be so much better off if they had just doubled down on Kerberos. Now they have a giant mess of variations in how authentication works that have all bee
    • Ikr, it's still weird to me how for so many organizations it suddenly became OK to have publically facing servers running Windows.

      • Fun fact, Microsoft's Azure cloud infrastructure is primarily based on Linux. Also, you can spin up Linux virtual machines as part of cloud services. Even the microservices ("Azure Apps") can run Linux.

        Windows is the curse of the non-technical class.

    • I guess you get what you deserve if you're using Microsoft security products in the cloud.

      Precisely what did people get here? A security vulnerability automatically patched in the back end quickly with no evidence of exploit? It sounds like this was addressed faster than any windows server patch ever was, including past Active Directory.

      I'm not sure what you're saying here, that we should all switch to the cloud because of how quickly the issue was addressed and how seriously Microsoft took the situation? I think you're trying to say something negative about a story that is actually a rather big

    • Oh, you hadn't heard? Maybe you knew it as Azure Active Directory.

      They can't seem to settle on a name they like.

    • My company uses Microsoft for email. Managing users is a mess with two systems ("Admin" and "Entra"). We don't use Microsoft for any Windows logins or anything resembling the cloud AD.

      Earlier this year, one of my users lost access to his authenticator app. I followed instructions I found on the web, which went through the "Admin" web pages. Didn't work. I got on a support call with Microsoft, in which they could see my screen. They talked me through the same steps as I had performed earlier. Didn't work, ev

  • Sigh. (Score:1)

    by ledow ( 319597 )

    It's inevitable that something like this will appear regularly, and one day it will be silently exploited.

    At that point, everyone will scramble back to on-prem, but until then we have to tolerate this cloud nonsense, apparently.

    • I just attended an HPE/MS webinar about "Azure Local", or simply Azure On Premise. I haven't been so amused in quite a while.

      • soon it will be touted as the 'new extra secure Azure' and then it's going to be 'company machines do not have to be on the internet'

    • Re: (Score:2)

      by gweihir ( 88907 )

      It's inevitable that something like this will appear regularly, and one day it will be silently exploited.

      That has already happened and MS did not notice at all. After 2 years, one of their customers noticed:
      https://www.cisa.gov/sites/def... [cisa.gov]

      The utter catastrophe of the MS cloud "strategy" is slowly getting worse and worse. Most "decision makers" at MS customers are deep in denial because they do not have an exit strategy. But there is really no way this is going to end in any other way than very badly. MS still cannot get basic stuff right at this time. That simply means they cannot fix the crap they built anym

  • Something of the order of $1,000,000. We need to see bug hunters rewarded massively to encourage them to report the issue to the software builder.

    It would be interesting to know what the NSA, FSB, MSS or Mossad would have paid for the bugs...

  • I'm not saying cloud is necessarily riskier than on-premises*, but cloud failures can easily make headlines due to the scope, and such could set the likes of MS into a financial tailspin. While that is perhaps a good thing, they'll hurt a lot of customers in desperation for cash during their spiral to Hell.

    * The average org didn't manage on-premises well either.

  • This is not the first time they made really bad mistakes like that. And they continue to make them. "Security is our highest priority" is nothing but a lie. At this time, the only valid conclusion is that MS cannot do this right and is incapable of learning.

  • How do they know it wasn’t already exploited? Dirk-jan Mollema created a test account that could authenticate as any user without being detected. Why didn’t the Microsoft Security Response Center (MSRC) catch this? Is it due to the nature of the product, a highly interconnected system made up of numerous components. Making it difficult for developers to fully understand and, most importantly, hard to clone?

Slashdot Top Deals

Please go away.

Close