New Studies have found a constant risk on the well -known security weakness in Microsoft’s Entra ID.
SEMPERIS Identity Safety Company in analysis Out of 104 SAAS apps have found nine of them vulnerable to abuse the cross -tenor Entra.
For the first time disclosed by a decope in June 2023, Know refers to weakness in how Saas apps implement Openid Connect (Curriculum), which denotes the authentication layer built on the top of Oauth to verify the user’s identity.
The lack of authentication implementation, essentially, allows the bad actors to change the mail attribute in the Entra account on the sacrifice account and use the “Microsoft” feature to steal this account.
The attack trivial but it also works because Entra ID allows users to have an unauthorized email address, opening the door for users through the tenant.
It also uses the fact that the application using multiple personality certificate providers (such as Google, Facebook or Microsoft) can unintended the attacker log in the target user simply because the email address is used as the only criteria for a clear identification identification and combining accounts.
The Semperis threatening model is focused on the NOAUTH variant, in particular application search that allows you to access the Entra ID. In other words, both the attacker and the victim are on two different ID Entra tenants.
“Noauth abuse is a serious threat that many organizations can be subjected to,” said Eric Woodruf, the chief architect of the identity in Semperis. “It’s low effort, leaves virtually no trace and bypassing the final users.”
“The attacker who successfully abuses Noauth will be able not only access to SAAS app data, but also potentially to translate Microsoft 365 resources.”
Semperis said it reports on the results of Microsoft in December 2024, which forced the manufacturer Windows to confirm once again the recommendations he gave in 2023, coinciding with the public disclosure of Noat. He also noted that providers who do not meet the recommendations risk removing their applications from the Entra app gallery.
Microsoft also has stressed What use claims other than the subject ID (called “Requirement”) to clearly identify the final user in Openid Connect does not meet the requirements.
“If an Openid Connect participant relies on any other claims in except the combination of subjects (subjects), and ISS (issuer) as the main account ID in Openid Connect, they violate the expectation contract between the identity provider and rely on the party,” the company said at the time.
The Noauth memory eventually lies in the hands of the developers who must properly implement authentication to prevent the absorption of accounts by creating a unique, unchanged user identifier.
“The abuse of NOAUT exploits the vulnerabilities of the crosses and can lead to SAAS data, perseverance and lateral motion,” the company said. “Abuse for customers vulnerable applications is difficult to detect and it is impossible for clients vulnerable applications against which.”
Disclosure occurs when Trend Micro showed that to facilitate access to access access access to access access to access to Amazon Web Services (AWS), which allows the attackers to conduct the following activities.
Cybersecurity company said attackers can use excessive privileges provided by containers using methods such as a sniffing package of unexpressed HTTP traffic to access accounts and reinforcement of API, which uses the settings of the manipulated network interface (NIC).
“Conclusions (…) emphasize the critical security considerations when using POD Amazon Eks identity to simplify AWS resources in Kubernetes,” security researcher Jiri Hogel – Note.
“These vulnerabilities emphasize the importance of adherence to the principle of the slightest privilege, providing the correct configuration of containers and minimizing opportunities for the operation of malicious subjects.”
