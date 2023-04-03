Microsoft has Resolved a misconfiguration issue affecting the Azure Active Directory Identity and Access Management Service (AAD extension), which exposed several high-impact applications to unauthorized access.

Before We Begin: What is an AD Vulnerability?

An AD vulnerability refers to a vulnerability in Microsoft’s Active Directory (AD) service, which is the central access and identity management service used in Windows environments. These vulnerabilities could allow attackers to compromise authentication and authorization information, access sensitive data, and perform malicious actions within the network environment. AD vulnerabilities can be caused by misconfiguration, software or operating system security issues, and even malware attacks, so you need to quickly monitor and fix these vulnerabilities to protect your network environment and prevent possible security breaches .

What is the issue Azure had impacting the Bing search engine?

“One such application is a content management system (CMS) that powers Bing.com and has allowed us to not only modify search results but also launch high-impact XSS attacks on Bing users“, has stated cloud security firm Wiz in a report.

Microsoft then added: “Such attacks could compromise users’ personal data, including Outlook emails and SharePoint documents“.

The issues were reported to Microsoft between January and February of 2022, following which the tech giant applied the fixes and awarded Wiz a $40,000 bounty for discovering the bug. Redmond said it found no evidence that the misconfigurations were being exploited fraudulently.

The core of the vulnerability stems from what is referred to as “shared responsibility confusion”, where an Azure AD app can be misconfigured to allow access for users from any Microsoft tenant, leading to a potential case of unintentional access.

Interestingly, some internal Microsoft programs (including Azure) exhibited this behavior, thus allowing external parties to obtain reading and writing on the affected applications.

This includes the Bing trivia application, which the cybersecurity company has exploited to change search results to Bing and even manipulate content on the homepage as part of a chain of attacks called BingBang.

To further aggravate the situation, the exploit could be used to trigger a cross-site scripting (XSS) attack on Bing.com and extract Outlook emails, calendars, Teams messages, SharePoint documents and OneDrive files of a victim.

“An attacker with the same access could have hijacked the most popular search results with the same payload and leaked sensitive data of millions of usersWiz researcher Hillai Ben-Sasson noted.

Other applications that have been found to be vulnerable to the misconfiguration issue include Mag News, Central Notification Service (CNS), Contact Center, PoliCheck, Power Automate Blog, and COSMOS.

Further developments of the matter while the penetration testing company NetSPI has revealed details of a cross-tenant vulnerability in connectors Power Platform which could be exploited to gain access to sensitive data.

After responsible reporting in September 2022, the serialization vulnerability was fixed by Microsoft in December 2022.

Research also follows the distribution of patches to remedy Super FabriXss (CVE-2023-23383, CVSS score: 8.2), an XSS reflected vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution.