Azure AD Web Sign-in Security Feature Bypass Vulnerability (CVE-2021-27092, Important)

Reading Time: 2 minutes

Today, for its April 2021 Patch Tuesday, Microsoft released an important security update for the Azure AD web sign-in feature in Windows and Windows Server. This vulnerability is known as CVE-2021-27092 and rated with CVSSv3.0 scores of 6.8/5.9.

About Azure AD Web Sign-in

Web Sign-in is a new way of signing into a Windows system. It enables Windows logon support for non-AD FS federated providers (e.g. SAML). Web sign-in enables you to set multifactor authentication before signing in to Windows. Web Sign-in is only supported on Azure AD Joined PCs.

About the vulnerability

An elevation of privilege vulnerability exists in the way Azure Active Directory web sign-in allows arbitrary browsing from the third-party endpoints used for federated authentication.

It allows an attacker with physical access to the device to gain unauthorized access.

DISCLOSURE

The vulnerability was responsibly disclosed to Microsoft.

AFFECTED OPERATING SYSTEMS

The following Operating Systems (OSs) are affected:

  • Windows 10, version 1803
  • Windows 10, version 1809
  • Windows 10, version 1909
  • Windows 10, version 2004
  • Windows 10, version 20H2
  • Windows Server 2019
  • Windows Server, version 1909
  • Windows Server, version 2004
  • Windows Server, version 20H2

The Web Sign-in feature was introduced with Windows 10, version 1809 and  does not affect other supported Operating Systems, like Windows Server 2012 and Windows Server 2016.

Recommendation

Azure AD-joined devices that have the Web sign-in feature enabled through the Authentication CSP, should be updated with the April 2021 Cumulative Update to prevent unauthorized access.

Further reading

Azure AD Web Sign-in Security Feature Bypass Vulnerability    
What's new in Windows 10, version 1809 – Web Sign-in

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.