medium

GraphNinja

Published Mon, Apr 29th, 2024

Platforms

Summary

A vulnerability in Microsoft Graph allowed attackers to conduct password-spray attacks without detection. The issue involved switching the 'common' authentication endpoint with that of an unrelated tenant, thereby avoiding the appearance of logon attempts in the victim's logs. This technique could allow attackers to validate user credentials through verbose error messages, but actual successful logons using these credentials would still be recorded in the victims' logs (regardless of endpoint).

Affected Services

Microsoft Graph

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://trustedsec.com/blog/full-disclosure-a-look-at-a-recently-patched-microsoft-graph-logging-bypass-graphninja

Contributed by https://github.com/mer-b

Entry Status

Finalized

Disclosure Date

Exploitability Period

June 2023 - March 2024

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Nyx Geek, TrustedSec

More vulnerabilities...

high

Azure tenant takeover via Microsoft application

A vulnerability in Microsoft Dynamics 365 Supply Chain Visibility allowed arbitrary takeover of Azure tenants via a malicious reply URL. Clicking a link could grant an attacker directory read acces...

Arnau Ortega, FalconForceApr 26, 2024

critical

AWS Amplify IAM role publicly assumable exposure

The AWS Amplify service was found to be misconfiguring IAM roles associated with Amplify projects. This misconfiguration caused these roles to be assumable by any other AWS account. Both the Ampl...

Nick Frichette, DatadogApr 15, 2024

low

AWS Glue database password leakage

A principal with the permissions glue:GetConnection and ec2:DescribeSubnets can retrieve the database password of a connection, since the password is loaded into the AWS console website when a conn...

Michael Werner, SEC ConsultApr 11, 2024

View all