Today, for its April 2021 Patch Tuesday, Microsoft released an important security update for the Azure AD web sign-in feature in Windows and Windows Server. This vulnerability is known as CVE-2021-27092 and rated with CVSSv3.0 scores of 6.8/5.9.
About Azure AD Web Sign-in
Web Sign-in is a new way of signing into a Windows system. It enables Windows logon support for non-AD FS federated providers (e.g. SAML). Web sign-in enables you to set multifactor authentication before signing in to Windows. Web Sign-in is only supported on Azure AD Joined PCs.
About the vulnerability
An elevation of privilege vulnerability exists in the way Azure Active Directory web sign-in allows arbitrary browsing from the third-party endpoints used for federated authentication.
It allows an attacker with physical access to the device to gain unauthorized access.
DISCLOSURE
The vulnerability was responsibly disclosed to Microsoft.
AFFECTED OPERATING SYSTEMS
The following Operating Systems (OSs) are affected:
- Windows 10, version 1803
- Windows 10, version 1809
- Windows 10, version 1909
- Windows 10, version 2004
- Windows 10, version 20H2
- Windows Server 2019
- Windows Server, version 1909
- Windows Server, version 2004
- Windows Server, version 20H2
The Web Sign-in feature was introduced with Windows 10, version 1809 and does not affect other supported Operating Systems, like Windows Server 2012 and Windows Server 2016.
Recommendation
Azure AD-joined devices that have the Web sign-in feature enabled through the Authentication CSP, should be updated with the April 2021 Cumulative Update to prevent unauthorized access.
Further reading
Azure AD Web Sign-in Security Feature Bypass Vulnerability
What's new in Windows 10, version 1809 – Web Sign-in
Login