Azure AD Connect version 1.3.21.0 fixes an elevation of privilege vulnerability (CVE-2019-1000)

Hot on the heels of Azure AD Connect version 1.3.20.0, Microsoft released version 1.3.21.0 earlier this week to address an elevation of privilege vulnerability.

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

    

About the vulnerability  

The vulnerability, known as CVE-2019-1000, could allow an attacker to execute two Windows PowerShell cmdlets in the context of a privileged account, and perform privileged actions.

To exploit this, an attacker would need to authenticate to the Azure AD Connect server. The two cmdlets can be executed remotely only if remote access is enabled on the Azure AD Connect server.

This security update address the issue by disabling these cmdlets.

   

About the fix

The vulnerability is fixed in version 1.3.21.0 of Azure AD Connect.
This release of Azure AD Connect was signed off on on May 14th, 2019 and made available for download on that same date.

    

Download

You can download version 1.3.21.0 of Azure AD Connect here.
The download weighs 90,1 MB.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.