Hot on the heels of Azure AD Connect version 220.127.116.11, Microsoft released version 18.104.22.168 earlier this week to address an elevation of privilege vulnerability.
Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.
About the vulnerability
The vulnerability, known as CVE-2019-1000, could allow an attacker to execute two Windows PowerShell cmdlets in the context of a privileged account, and perform privileged actions.
To exploit this, an attacker would need to authenticate to the Azure AD Connect server. The two cmdlets can be executed remotely only if remote access is enabled on the Azure AD Connect server.
This security update address the issue by disabling these cmdlets.
About the fix
The vulnerability is fixed in version 22.214.171.124 of Azure AD Connect.
This release of Azure AD Connect was signed off on on May 14th, 2019 and made available for download on that same date.
You can download version 126.96.36.199 of Azure AD Connect here.
The download weighs 90,1 MB.