New research reveals the ongoing risks from known security weaknesses in Microsoft’s Entra ID, allowing malicious actors to achieve account acquisitions with sensitive software (SAAS) applications.
Identity security company Semperis has found in an analysis of 104 SaaS applications that nine of them are vulnerable to cross-tenant Noauth abuse of Entra IDs.
Noauth, first disclosed by Descope in June 2023, refers to the weakness of the way SaaS applications implement OpenID Connect (OIDC). This refers to the authentication layer built on top of OAuth to verify the user’s identity.
Due to flaws in authentication implementation, essentially bad actors can change the email attribute of their ENTRA ID account to the victim’s email and take advantage of the app’s “Login with Microsoft” feature to hijack that account.
The attack is trivial, but it works because the Entra ID allows users to have unidentified email addresses and allows users to open the door to impersonation across tenant boundaries.
It also takes advantage of the fact that apps using multiple identity providers (such as Google, Facebook, or Microsoft) could potentially allow attackers to sign in to the target user’s account simply because their email address is used as the only criterion for merging accounts.
Semperis’ threat model focuses on Noauth variants, specifically finding applications that allow Entra ID cross-tenant access. In other words, both the attacker and the victim are riding in two different Entra ID tenants.
“Noauth’s abuse is a serious threat that many organizations can be exposed to,” said Eric Woodruff, chief Identity architect at Semperis. “Low effort, little traces, bypassing end-user protection.”
“Attacks who successfully abuse Noauth can not only have access to SaaS application data, they could also pivot to Microsoft 365 resources.”
Semperis reported its findings to Microsoft in December 2024, urging it to repeatedly reiterate recommendations it submitted to Windows Maker in 2023, urging it to match Noauth’s publication. We also noted that vendors who do not comply with the guidelines risk removing their apps from the Entra App Gallery.
Microsoft also emphasizes that the use of claims other than subject identifiers to uniquely identify the end user of OpenID Connect (called “sub” claims) is non-compliant.
“If a party relying on OpenID Connect uses a combination of Sub (Subs) and ISS (issuer) claims, plus other claims as OpenID Connect’s primary account identifiers, they will break the expected agreement between the Federated Identition Provider and the Relying Party.”
Mitigating Noauth is ultimately in the hands of developers. Developers must properly implement authentication to prevent account acquisitions by creating unique and immutable user identifiers.
“Noauth abuse can promote tenant vulnerability and lead to delamination, persistence and lateral movement of SaaS application data,” the company said. “It is difficult for customers to detect vulnerable applications to do so, and it is impossible for customers to defend against.”
This disclosure is because Trend Micro has revealed that it uses misconfigured or overly privileged containers in a Kubernetes environment to facilitate access to sensitive Amazon Web Services (AWS) credentials, allowing attackers to carry out subsequent activities.
The cybersecurity company said attackers can access plain text credentials and API spoofing by leveraging the excess privileges granted to containers using methods such as packet sniffing for unencrypted HTTP traffic.
“Results of the survey” […] According to security researcher Jiri Gogela, highlighting important security considerations when using Amazon EKS POD IDs to simplify AWS resource access in Kubernetes environments.
“These vulnerabilities underscore the importance of adhering to the principle of least privilege, and having container configurations properly scoped and minimizing opportunities for exploitation by malicious actors.”
Source link
