![]() ![]() There are unfortunately guides on web that advise doing this. It's worth noting, that the attack can also pierce cloud MFA requirement if EAS clients can generate known bypass claims. Not checking the status of MFA in Conditional Access, or using the -SupportsMFA option for the Microsoft MFA enabled users. ![]() ![]() Scope of this advisory are primarily customers who use WS /* -Protocols for federated domains in Azure AD, and utilize access policies to enforce and bypass MFA only in the IDP side. How is advisory 2 related to advisory 1? The existence of advisory 2 makes advisory 1 possible in the described scope. Especially advisory 2Īdvisory 2 is already documented, but not well communicated, and the existing documentation is AD FS specific. Microsoft’s AD FS can be also considered applicable in this context. Obviously I can’t say anything on any of the vendors behalf. I am assuming this affects most of the vendors implementing the WS-Trust with Azure AD without knowledge of the Azure AD OAuth2 Grant Types. The scope is protocol implementation related, not vendor related! List of third 3rd party vendors providing WS-Federation/Trust support for Azure AD is long (some 15 last time I checked), so I am not highlighting any vendors here. I’ve been discussing the ramifications with a major vendor providing Federation solutions about mitigating the configuration risks with WS-Trust when used in conjunction with Azure ADĪdvisory 1 is related to how WS-Trust protocol is used in conjunction with Azure AD where clear text username and password are forwarded in TLS protected transport using the active endpoints to provide access for so-called non modern clients (Rich /Active endpoint consuming clients) Well how actionable it is? I’ve been exploiting this oversight in Red Teaming assignments, so in my experience its been really popular in deployments where the MFA is not checked on cloud side. This blog details a common oversight in MFA enforcement regarding federation implementations where MFA is invoked and required in the 3rd party IDP only. This oversight becomes effective when several by- design features, and implementation decisions align in a ”wrong” way. If there is a single post I’ve been delaying for a good while, then it’s gotta be this one. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |