[English]It doesn’t sound too good. Recently discovered vulnerabilities in Microsoft 365 allow multifactor authentication to be bypassed. Proofpoint security researchers just posted this.
Proofpoint security researchers recently discovered critical vulnerabilities in the implementation of multi-factor authentication (MFA) in cloud environments where WS-Trust is enabled. The vulnerabilities were announced by Proofpoint and demonstrated at Proofpoint Protect Virtual User Conference. Most likely, these vulnerabilities have been around for years. Security researchers tested several identity provider (IDP) solutions, identified vulnerable solutions, and resolved security issues.
These vulnerabilities could allow attackers to bypass multi-factor authentication (MFA). This allows access to cloud applications that use the protocol. According to Proofpoing, this particularly affects Microsoft 365.
Security researchers write that due to the way the Microsoft 365 session connection is designed, an attacker could gain full access to the target’s account. This includes emails, files, contacts, data, etc. In addition, these vulnerabilities could also be used to access various other cloud services provided by Microsoft, including production and development environments such as Azure and Visual Studio.
The weaknesses resulted from the “inherently insecure protocol” (WS-Trust), as described by Microsoft, in combination with various errors in its implementation by PDIs. In some cases, an attacker could falsify his IP address in order to bypass MFA by a simple request header manipulation. In another case, changing the User-Agent header led the IDP to misidentify the protocol and believe it was using modern authentication. Either way, Microsoft logs the connection as “Modern Authentication” when the exploit changes from the old to the modern protocol. Ignoring the situation and the associated risks, the administrators and security experts who monitor the tenant would consider that the connection is established via “Modern Authentication”.
Vulnerabilities require some research, but once discovered they can be exploited in an automated fashion. They are difficult to spot and may not even show up in the event logs and leave no trace or indication of their activity. Since multi-factor authentication can be bypassed as a preventive measure, it becomes necessary to take additional security measures in the form of detecting and correcting account violations. More details can be found in the Proofpoint article.
#Microsoft #Multifactor #authentication #bypassed #born