Ethical Hackers Uncover Security Vulnerability in Multi-Factor Authentication System
In a groundbreaking discovery, a cybersecurity team at CLOUDYRION has managed to bypass Multi-Factor Authentication (MFA) in a Fortune-500 corporate environment. This revelation sheds light on a potential vulnerability in a seemingly protected environment.
The security assessment involved several Azure subscriptions for the company. The key to the exploit lies in the user action "Register or link devices," which requires turning off the MFA requirement in the device identity settings, as indicated in Microsoft's warning. After device registration, no additional MFA was required for access to corporate services like Teams, Outlook, and Azure.
The Windows Single-Sign-On (SSO) provided a valid token that controlled access to these services. This token, in conjunction with the Windows SSO tokens, allowed MFA-free access to the Azure CLI and Intune functions like adding a foreign account to a registered device.
The challenge faced was testing outside the browser, as a password manager stores MFA-capable logins in the test browser. One tester could use their own client account to register the device and then assign it to their colleague's account, bypassing MFA using the "az login" command in the Azure CLI.
The system only requested MFA again when trying to change the actual Microsoft account. This finding underscores the need for a balanced approach to security and user-friendliness. Only by striking this balance can sensitive information be effectively protected without impeding the productivity of users.
Various solutions have been developed to prevent Azure CLI from bypassing MFA. These include blacklists for actions involving foreign accounts, whitelists for allowed applications and actions that can be used with Windows SSO, blocking a device from being connected to more than one account, and blocking an account from being connected to more than one device.
Changes to Microsoft's conditional access policies allow for much finer control over many more actions, including the user action "Register or link devices." It is strongly recommended to implement a whitelist for all actions that a user is allowed to perform, as this gives full control over every action.
The article does not mention any new measures taken or solutions developed. However, it serves as a reminder of the importance of continuously refining MFA policies and incorporating user feedback to maintain robust security measures.
It's essential to note that this exploit did not lead to any new consequences, data breaches, or attacks on integrity and availability, or violations of compliance guidelines. The article aims to raise awareness and promote best practices in the implementation and management of MFA in corporate environments.
