Summary
Semperis researchers discovered vulnerabilities in Microsoft applications that allowed privilege elevation in Entra ID beyond expected authorization controls. The most severe finding enabled adding users to privileged roles, including Global Administrator, without proper permissions. The issues affected Device Registration Service, Viva Engage, and Microsoft Rights Management Service. Microsoft has since resolved the vulnerabilities.
Affected Services
Entra ID, Device Registration Service, Viva Engage, Microsoft Rights Management Service
Remediation
Inspect affected service principals for lingering credentials using Microsoft Graph. Examine Entra ID audit logs for suspicious activity by Device Registration Service. Treat Application Administrator and Cloud Application Administrator roles as highly privileged.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
Thu, Jan 11th, 2024
Exploitablity Period
Until 2024/04/19
Known ITW Exploitation
-
Detection Methods
Check for credentials assigned to Device Registration Service and Viva Engage service principals. Search Entra ID audit logs for actions performed by Device Registration Service and credential assignments to its service principal.
Piercing Index Rating
-
Discovered by
Eric Woodruff, Semperis
