The existence of a new and potentially serious privilege escalation and password reset vulnerability in Azure Active Directory Connect (AADC) was recently made public by Microsoft.
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-whatis
Fixing the problem can be achieved by means of an upgrade to the latest available release of AADC 1.1.553.0.
https://www.microsoft.com/en-us/download/details.aspx?id=47594
The Microsoft security advisory qualifies the issue as important and was published on Technet under reference number 4033453:
https://technet.microsoft.com/library/security/4033453.aspx#ID0EN
Azure Active Directory Connect as we know takes care of all operations related to the synchronization of identity information between on-premises environments and Active Directory Federation Services (ADFS) in the cloud. The tool is also the recommended successor to Azure AD Sync and DirSync.
Microsoft were quoted as saying…
The update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is mis-configured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts.
When setting up the permission, an on-premises AD Administrator may have inadvertently granted Azure AD Connect with Reset Password permission over on-premises AD privileged accounts (including Enterprise and Domain Administrator accounts)
In this case as stated by Microsoft the risk consists of a situation where a malicious administrator resets the password of an active directory user using “password writeback”. Allowing the administrator in question to gain privileged access to a customer’s on-premises active directory environment.
Password writeback allows Azure Active Directory to write passwords back to an on-premises Active Directory environment. And helps simplify the process of setting up and managing complicated on-premises self-service password reset solutions. It also provides a rather convenient cloud based means for users to reset their on-premises passwords.
Users may look for confirmation of their exposure to this vulnerability by checking whether the feature in question (password writeback) is enabled and whether AADC has been granted reset password permission over on-premises AD privileged accounts.
A further statement from Microsoft on this issue read…
If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
CVE reference number CVE-2017-8613 was attributed to the vulnerability.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8613