Executive Summary
Summary | |
---|---|
Title | Microsoft Security Advisory 4033453 |
Informations | |||
---|---|---|---|
Name | KB4033453 | First vendor Publication | 2017-06-27 |
Vendor | Microsoft | Last vendor Modification | 2017-06-27 |
Severity (Vendor) | N/A | Revision | 1.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft Security Advisory 4033453Vulnerability in Azure AD Connect Could Allow Elevation of PrivilegePublished: June 27, 2017 Version: 1.0
|
![]() |
---|
You may have more than one AD DS account to evaluate if you are synchronizing multiple on-premises AD forests using Azure AD Connect. |
Remediation steps
Upgrade to the latest version (1.1.553.0) of Azure AD Connect, which can be downloaded from here. We recommend you do so even if your organization isnt currently affected. For information on how to upgrade Azure AD Connect, refer to Azure AD Connect: Learn how to upgrade from a previous version to the latest.
The latest version of Azure AD Connect addresses this issue by blocking Password writeback request for on-premises AD privileged accounts unless the requesting Azure AD Administrator is the owner of the on-premises AD account. More specifically, when Azure AD Connect receives a Password writeback request from Azure AD:
- It checks if the target on-premises AD account is a privileged account by validating the AD adminCount attribute. If the value is null or 0, Azure AD Connect concludes this is not a privileged account and permits the Password writeback request.
- If the value is not null or 0, Azure AD Connect concludes this is a privileged account. Next, it then validates whether the requesting user is the owner of the target on-premises AD account. It does so by checking the relationship between the target on-premises AD account and the Azure AD account of the requesting user in its Metaverse. If the requesting user is indeed the owner, Azure AD Connect permits the Password writeback request. Otherwise, the request is rejected.
![]() |
---|
The adminCount attribute is managed by the SDProp process. By default, SDProp runs every 60 minutes. Therefore, it can take up to an hour before the adminCount attribute of a newly created AD privileged user account is updated from NULL to 1. Until this happens, an Azure AD administrator can still reset the password of this newly created account. For information about SDProp process, refer to Protected Accounts and Groups in Active Directory. |
Mitigation steps
If you are unable to immediately upgrade to the latest Azure AD Connect version, consider the following options:
- If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
- If an on-premises AD administrator has previously created Control Access Rights on the adminSDHolder object for the AD DS account which permits Reset Password operation, consider removing it.
- It may not always be possible to remove existing permissions granted to the AD DS account (for example, the AD DS account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback). Consider creating a DENY ACE on the adminSDHolder object which disallows the AD DS account with Reset Password permission. For information on how to create a DENY ACE using Windows DSACLS tool, refer to Modify the AdminSDHolder container.
DSACLS DNofAdminSDHolderContainer /D CONTOSO\ADDSAccount:CA;"Reset Password"
Original Source
Url : http://www.microsoft.com/en-us/library/security/4033453.mspx |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-640 | Weak Password Recovery Mechanism for Forgotten Password |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-06-29 | Name : An application installed on the remote Windows host is affected by an elevati... File : smb_kb4033453.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2017-07-06 00:24:40 |
|
2017-06-29 17:24:22 |
|
2017-06-28 05:21:08 |
|