Hackers Exploit Azure App Proxy Pre-Authentication to Access Private Networks

Hackers are exploiting a vulnerability in Microsoft’s Azure App Proxy by manipulating the pre-authentication settings to gain unauthorized access to private networks.

The Azure App Proxy is designed to securely publish on-premises applications to the public internet without requiring firewall port openings, leveraging Microsoft Entra ID for authentication,.

How Azure App Proxy Works

For organizations to use Azure App Proxy, a private network connector must be installed on a system within their private network.

This connector establishes an outbound connection to Azure, allowing applications to be published through the proxy.

According to the TrustedSec report, the pre-authentication setting is crucial here, as it determines how users are authenticated before accessing published applications.

Pre-Authentication Settings

Azure App Proxy offers two pre-authentication options: Microsoft Entra ID and Passthrough. 

Microsoft Entra ID is the default, providing robust authentication by redirecting users to Microsoft’s authentication services before accessing the application.

This ensures that all paths within the application are protected by Entra ID authentication.

On the other hand, Passthrough does not require authentication before forwarding requests to the application.

While this option might seem useful for publicly accessible applications, it leaves them vulnerable to unauthorized access.

Microsoft’s documentation warns that Passthrough does not protect against anonymous attacks, similar to exposing a server port directly to the internet.

Risks and Exploits

In a demonstration setup using a Windows Server 2022 VM hosting a basic HTTP website, two applications were configured with different pre-authentication settings:

• MSENTRAID-redactedoutlook.msappproxy.net used Microsoft Entra ID for authentication, requiring users to authenticate before accessing the application.
• PASSTHROUGH-redactedoutlook.msappproxy.net, as expected, did not require authentication, allowing direct access to the application and its resources.

When using the Passthrough option, not only is the intended public application accessible, but so are other resources on the server. This can lead to unintentional exposure of sensitive private network resources.

For instance, if a sales quoting application at the root of the site uses Entra ID for authentication, while a customer portal at a different path is intended to be publicly accessible, using Passthrough could inadvertently make the entire server accessible.

Forced Browsing and Brute-Force Attacks

Hackers can easily exploit this vulnerability by engaging in forced browsing for content discovery.

 Each request to the Passthrough URL reveals responses directly from the VM, including potentially sensitive applications or directories that were not intended to be public.

In the scenario where a path prompts for HTTP Basic authentication, attackers can use tools like Burp Suite’s Intruder to brute-force common default credentials such as admin:admin.

If weak credentials are used, unauthorized access to data or applications can occur, providing an entry point for malicious activities.

While the Azure App Proxy is a powerful tool for securing remote access to applications, misconfiguring pre-authentication settings can have severe consequences.

Organizations must carefully evaluate their use of Passthrough, ensuring that they understand the risks involved and take additional measures to secure applications and resources that are not intended for public access.

Regular security audits and strong authentication practices are crucial to mitigating these vulnerabilities and protecting sensitive private network resources.

By adopting these practices, organizations can effectively use Azure App Proxy while safeguarding their private network resources against unauthorized access.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!