Black Hat Sessions Highlight Key Challenges in Microsoft Cloud Security
September 11, 2024 •Sander Berkouwer
If you kept up with Microsoft vulnerabilities this past month, there were quite a few to read up on. In addition to these and general industry news, additional vulnerabilities were highlighted at the US Black Hat event, organized from August 3rd to August 8th in Las Vegas. With all these vulnerabilities surfacing, does this mean that Microsoft only produces insecure software? Well, no, obviously not. Does this mean that Microsoft’s Secure Future Initiative is timelier than ever? Yes, definitely.
Microsoft Cloud Security Updates from Black Hat US 2024
From a Microsoft cloud security point of view, this year’s Black Hat event was intriguing.
Black Hat provides a stage to security researchers, enthusiasts, admins and vendors to showcase their in-depth security knowledge, the latest security tools and software solution features. You can check out the keynotes, sessions (known as briefings) and speakers to get a better idea of the over-arching themes in briefings this year: a secure society, secure supply chains, secure networks, secure hardware and secure software.
Notable vulnerabilities shared
As you’d expect, many vulnerabilities are shared, demonstrated and discussed. Security researchers claim their 15 to 60 minutes of fame. They finally get to divulge their responsibly disclosed vulnerabilities, as vendors were already on the road to fixing them. Here were some key vulnerabilities and findings shared:
- Alon Leviev presented on exploiting two vulnerabilities that allowed him to trick Windows installation into downgrading through Windows Update.
- Yehuda Smirnov showed how to phish Windows Hello for Business.
- Eric Woodruff showed a technique to elevate to Global Admin
Responsible Disclosure
Luckily, the people presenting these sessions have responsibly disclosed any vulnerabilities that they have discovered directly to Microsoft. In most cases, this allows Microsoft to reproduce, analyze, and address the vulnerability in code, and even get the vulnerable component patched on systems worldwide through its Windows Update process.
Responsible disclosure is a delicate balance. Google’s Project Zero, for instance, provides a timeframe of 90 days for vendors to address vulnerabilities, regardless of release schedules of updates. This has led to the public disclosure of at least one vulnerability, prior to Microsoft’s ‘Patch Tuesday.’ Microsoft releases updates to its software on the second Tuesday of every month, and additionally, if need be. Microsoft started this Patch Tuesday practice in October 2003 and has relentlessly followed through on it ever since.
For most Microsoft cloud security vulnerabilities shared at Black Hat US, Microsoft has already provided updates. For others, they are releasing updates soon.
Common Vulnerabilities and Exposures
Microsoft works in the Common Vulnerabilities and Exposures (CVE) program as a CVE Numbering Authority (CNA). In this role, Microsoft assigns CVE IDs to vulnerabilities. Microsoft works together with roughly 400 other vendors, hosters, researchers, bug bounty providers, and computer emergency response teams (CERTs) to provide a reference method for publicly known information-security vulnerabilities and exposures. It’s a far more reliable system than tracking the names researchers attach to their discovered vulnerabilities.
Vulnerabilities are labeled with their year of disclosure and a sequence number that is part of the range of the CNA. For instance, Alon Leviev’s ‘Downdate’ leverages CVE-2024-38202 and CVE-2024-21302.
Does that mean that Microsoft has observed over thirty-eight thousand vulnerabilities this year alone? Nah. Microsoft’s reservation in this year’s sequence didn’t start at 1.
Microsoft Cloud CVEs
Yehuda Smirnov’s method and Eric Woodruff’s ‘UnOAuthorized’ did not get CVEs assigned. Yehuda Smirnov’s tactic doesn’t technically exploit a vulnerability in the Microsoft technology. Eric Woodruff’s tactic, however, unearthed tangible vulnerabilities, but until more recently, Microsoft refused to assign CVE IDs for vulnerabilities in their cloud services, unless action was required by an admin. Today, Microsoft offers the transparency that CVEs offer for its cloud services, too.
Threat Modeling
Whether a vulnerability is impactful to your organization is a different story. It depends on the amount of legacy technology present in the infrastructure, how the technology is used, maturity of processes and the knowledge of the people managing the infrastructure.
To this purpose, CVEs are accompanied by a base score on the Common Vulnerability Scoring System (CVSS) scale from 0 to 10. When a CVE has a CVSS base score of 0, it means that theoretically a vulnerability can be exploited, but no one has ever successfully researched doing so. A CVSS base score of 10 means that the vulnerability can easily be exploited by anyone. It’s not common for vulnerabilities to have these extreme scores. CVEs with a CVSS score of 10 do occur, but most of the time, serious vulnerabilities have a CVSS score of 9.8. The latest version of CVSS, version 4, expands further on the base score with additional scores to indicate threat level and environmental variables, but is not widely adopted yet.
When looking at the vulnerabilities disclosed at Black Hat, their presenters provide a lot of information that enables your security team to assess whether the vulnerability is impactful to your organization or not.
- If your organization hasn’t switched to Entra-joined Windows devices, is 100% Mac-based, or people in your organization don’t use biometrics to sign into Windows, then Yehuda Smirnov’s Windows Hello for Business findings should not cause you any panic.
- If your organization is fully dependent on Entra ID for SaaS applications and other modern cloud infrastructure, and has Entra-joined Windows devices, then the vulnerabilities exposed by Eric Woodruff and Alon Leviev are something you might want to dig into more. With the right mitigating measures, the potential impact can be minimized.
But alas…
Eric Woodruff’s research paints an unsettling picture of Microsoft’s Cloud Security that underscores the importance of security awareness and an understanding of Identities.
Microsoft did not assign CVEs as Eric disclosed his findings to Microsoft before they assigned CVEs to Microsoft cloud services. An admin could not address the vulnerabilities, so Microsoft did not see the need to do so at the time.
In the first half of 2024, Microsoft silently addressed the exploitable functionality of Viva Engage (the ability to delete users, even Global Administrators), Microsoft Rights Management Service (its ability to create users) and the Device Registration Service (with the ability to assign privileged roles to any user).
Only because Eric decided to present his findings at Black Hat, and with a thorough vulnerability research analysis, did we find out that the security model of the Microsoft services we use did not only use OAuth scopes for access control, but Microsoft also used some hidden access control granting the above services privileges…only for us to detect in audit logs after one or more of the vulnerabilities were abused…
I recently sat down with Eric Woodruff and my Dutch IT Bros co-host, Raymond Comvalius to discuss these topics in more detail - have a watch here!
The video is not just about Eric’s UnOAuthorized’ session from Black Hat. We also talked about the need for community education and support around Entra ID Security & Identities and backup solutions that play a role in Entra application management. We each share our recommendations for IT Pros charged with securing Entra ID and outline resources that will help guide Identity and Security pros towards securing their Microsoft Entra tenant(s).
How Microsoft plans to make a difference
Every year, Microsoft addresses many vulnerabilities in its products and services. Through knowledge of our environments and software bills of materials (SBOMs), we can assess the impact a vulnerability might have on our organizations. As Eric’s research shows, we can’t defend against everything. Microsoft Cloud services lacked transparency in some respects, but Microsoft is paving the way to improve on that, too. The list of vulnerabilities in Azure is growing and provides information on vulnerable identity libraries with a handy url trick. In addition, Microsoft seems to be on the right path to making Security a focus with their Secure Future Initiative.
How ENow positively impacts Entra ID Application Security & Governance
ENow’s Application Governance Accelerator offers tools to defenders on enterprise applications and application registrations in Microsoft Entra ID.
It features a report on Microsoft Authentication libraries versions used by applications. This report already flags libraries that are version n-2 of the most up-to-date libraries observed in use by applications. In a future version, ENow plans to add the functionality to flag vulnerable library versions. With this information, developers of internally developed applications can opt to use a non-vulnerable version of the library. Additionally, vendors can be notified to update the libraries in their solutions to avoid getting mangled in a supply chain attack. With this tool, organizations can quickly identify Enterprise App Misconfigurations, risky App Registrations, and insecure default tenant settings.
ENow saw the need for a community-driven solution for securing Enterprise Apps in Entra ID and created a free tool for organizations to profile their Entra ID Application landscape to assess risk and learn why and how to make changes to Enterprise Apps, App Registrations, and Entra ID Tenant Settings for a more secure future. You can access your unique Entra App Security & Governance Score and assessment and find resources and how-to articles on the AppGov Score blog.
If you get stuck, or want a sounding board, catch us over at the AppGov Community Forum; Microsoft Security & Identity MVPs are standing by ready to help!
Written by Sander Berkouwer
Sander's qualities extend beyond the typical triple-A stories in the area of Identity and Access Management. Of course, authentication, authorization and auditing are necessities but my out of the box solutions get the most out of software, hardware and the cloud. Rapid technological advancements have resulted in cutting-edge solutions around Active Directory, Azure Active Directory and Identity Management. Keeping up with these is just a small challenge, compared to my true goal: helping people use the technology on a daily basis. In a way that ICT is not a mere hurdle, but an infinite enabler. His work as a consultant, blogger and trainer are all means to achieve this goal. His multiple Microsoft Most Valuable Professional (MVP) status, Veeam Vanguard status and extensive certification aids him. Through direct communications with the product teams in Redmond, he remains up to date, exchanges feedback and accelerates support. Sander is also a Virtual Product Owner for AppGov and ENow.