If you kept up with Microsoft vulnerabilities this past month, there were quite a few to read up on. In addition to these and general industry news, additional vulnerabilities were highlighted at the US Black Hat event, organized from August 3rd to August 8th in Las Vegas. With all these vulnerabilities surfacing, does this mean that Microsoft only produces insecure software? Well, no, obviously not. Does this mean that Microsoft’s Secure Future Initiative is timelier than ever? Yes, definitely.
From a Microsoft cloud security point of view, this year’s Black Hat event was intriguing.
Black Hat provides a stage to security researchers, enthusiasts, admins and vendors to showcase their in-depth security knowledge, the latest security tools and software solution features. You can check out the keynotes, sessions (known as briefings) and speakers to get a better idea of the over-arching themes in briefings this year: a secure society, secure supply chains, secure networks, secure hardware and secure software.
As you’d expect, many vulnerabilities are shared, demonstrated and discussed. Security researchers claim their 15 to 60 minutes of fame. They finally get to divulge their responsibly disclosed vulnerabilities, as vendors were already on the road to fixing them. Here were some key vulnerabilities and findings shared:
Luckily, the people presenting these sessions have responsibly disclosed any vulnerabilities that they have discovered directly to Microsoft. In most cases, this allows Microsoft to reproduce, analyze, and address the vulnerability in code, and even get the vulnerable component patched on systems worldwide through its Windows Update process.
Responsible disclosure is a delicate balance. Google’s Project Zero, for instance, provides a timeframe of 90 days for vendors to address vulnerabilities, regardless of release schedules of updates. This has led to the public disclosure of at least one vulnerability, prior to Microsoft’s ‘Patch Tuesday.’ Microsoft releases updates to its software on the second Tuesday of every month, and additionally, if need be. Microsoft started this Patch Tuesday practice in October 2003 and has relentlessly followed through on it ever since.
For most Microsoft cloud security vulnerabilities shared at Black Hat US, Microsoft has already provided updates. For others, they are releasing updates soon.
Microsoft works in the Common Vulnerabilities and Exposures (CVE) program as a CVE Numbering Authority (CNA). In this role, Microsoft assigns CVE IDs to vulnerabilities. Microsoft works together with roughly 400 other vendors, hosters, researchers, bug bounty providers, and computer emergency response teams (CERTs) to provide a reference method for publicly known information-security vulnerabilities and exposures. It’s a far more reliable system than tracking the names researchers attach to their discovered vulnerabilities.
Vulnerabilities are labeled with their year of disclosure and a sequence number that is part of the range of the CNA. For instance, Alon Leviev’s ‘Downdate’ leverages CVE-2024-38202 and CVE-2024-21302.
Does that mean that Microsoft has observed over thirty-eight thousand vulnerabilities this year alone? Nah. Microsoft’s reservation in this year’s sequence didn’t start at 1.
Yehuda Smirnov’s method and Eric Woodruff’s ‘UnOAuthorized’ did not get CVEs assigned. Yehuda Smirnov’s tactic doesn’t technically exploit a vulnerability in the Microsoft technology. Eric Woodruff’s tactic, however, unearthed tangible vulnerabilities, but until more recently, Microsoft refused to assign CVE IDs for vulnerabilities in their cloud services, unless action was required by an admin. Today, Microsoft offers the transparency that CVEs offer for its cloud services, too.
Whether a vulnerability is impactful to your organization is a different story. It depends on the amount of legacy technology present in the infrastructure, how the technology is used, maturity of processes and the knowledge of the people managing the infrastructure.
To this purpose, CVEs are accompanied by a base score on the Common Vulnerability Scoring System (CVSS) scale from 0 to 10. When a CVE has a CVSS base score of 0, it means that theoretically a vulnerability can be exploited, but no one has ever successfully researched doing so. A CVSS base score of 10 means that the vulnerability can easily be exploited by anyone. It’s not common for vulnerabilities to have these extreme scores. CVEs with a CVSS score of 10 do occur, but most of the time, serious vulnerabilities have a CVSS score of 9.8. The latest version of CVSS, version 4, expands further on the base score with additional scores to indicate threat level and environmental variables, but is not widely adopted yet.
When looking at the vulnerabilities disclosed at Black Hat, their presenters provide a lot of information that enables your security team to assess whether the vulnerability is impactful to your organization or not.
Eric Woodruff’s research paints an unsettling picture of Microsoft’s Cloud Security that underscores the importance of security awareness and an understanding of Identities.
Microsoft did not assign CVEs as Eric disclosed his findings to Microsoft before they assigned CVEs to Microsoft cloud services. An admin could not address the vulnerabilities, so Microsoft did not see the need to do so at the time.
In the first half of 2024, Microsoft silently addressed the exploitable functionality of Viva Engage (the ability to delete users, even Global Administrators), Microsoft Rights Management Service (its ability to create users) and the Device Registration Service (with the ability to assign privileged roles to any user).
Only because Eric decided to present his findings at Black Hat, and with a thorough vulnerability research analysis, did we find out that the security model of the Microsoft services we use did not only use OAuth scopes for access control, but Microsoft also used some hidden access control granting the above services privileges…only for us to detect in audit logs after one or more of the vulnerabilities were abused…
I recently sat down with Eric Woodruff and my Dutch IT Bros co-host, Raymond Comvalius to discuss these topics in more detail - have a watch here!
The video is not just about Eric’s UnOAuthorized’ session from Black Hat. We also talked about the need for community education and support around Entra ID Security & Identities and backup solutions that play a role in Entra application management. We each share our recommendations for IT Pros charged with securing Entra ID and outline resources that will help guide Identity and Security pros towards securing their Microsoft Entra tenant(s).
Every year, Microsoft addresses many vulnerabilities in its products and services. Through knowledge of our environments and software bills of materials (SBOMs), we can assess the impact a vulnerability might have on our organizations. As Eric’s research shows, we can’t defend against everything. Microsoft Cloud services lacked transparency in some respects, but Microsoft is paving the way to improve on that, too. The list of vulnerabilities in Azure is growing and provides information on vulnerable identity libraries with a handy url trick. In addition, Microsoft seems to be on the right path to making Security a focus with their Secure Future Initiative.
ENow’s Application Governance Accelerator offers tools to defenders on enterprise applications and application registrations in Microsoft Entra ID.
It features a report on Microsoft Authentication libraries versions used by applications. This report already flags libraries that are version n-2 of the most up-to-date libraries observed in use by applications. In a future version, ENow plans to add the functionality to flag vulnerable library versions. With this information, developers of internally developed applications can opt to use a non-vulnerable version of the library. Additionally, vendors can be notified to update the libraries in their solutions to avoid getting mangled in a supply chain attack. With this tool, organizations can quickly identify Enterprise App Misconfigurations, risky App Registrations, and insecure default tenant settings.
ENow saw the need for a community-driven solution for securing Enterprise Apps in Entra ID and created a free tool for organizations to profile their Entra ID Application landscape to assess risk and learn why and how to make changes to Enterprise Apps, App Registrations, and Entra ID Tenant Settings for a more secure future. You can access your unique Entra App Security & Governance Score and assessment and find resources and how-to articles on the AppGov Score blog.
If you get stuck, or want a sounding board, catch us over at the AppGov Community Forum; Microsoft Security & Identity MVPs are standing by ready to help!