Full Report
Microsoft Azure's Business To Customer (B2C) Active Directory (AD) service allows for a customer to create a website with AD for authentication that customers can use to create accounts. Using this, a full authN/authZ scheme can be built from pre-existing and known technology. A really good thing to build! The flow in question for authentication and authorization is the OAuth authorization flow with Proof Key for Code Exchange (PKCE). This uses the standard OAuth flow besides that it will also return a refresh token that uses JWE_RSA-OAEP. This uses an asymmetric encryption algorithm called RSA, which contains both a public and private key. In the flow, there is a signing key and an encryption key. When using the encryption setting, the public key is used for encryption. Now, this keeps the data secret from a snooping adversary but anybody can encrypt the data. Here in lines the problem: the RSA encryption is used for the generation of the refresh token. Since the public key is public, anybody who has access to this key is able to create their own tokens! The MSRC web portal uses this form of authentication as well. Since it's trivial to obtain the public key, they were able to craft refresh tokens for arbitrary users on the site. This means they could have viewed arbitrary bug reports, 0-days and much more. Overall, this is a classic case of misunderstanding the use case of cryptography. Gotta love it!
Analysis Summary
# Vulnerability: Azure B2C RSA Cryptographic Misuse
## CVE Details
- **CVE ID**: Not explicitly assigned in the article (Note: Microsoft often addresses Azure service-side flaws without a public CVE, though researchers rated it as a Critical Elevation of Privilege).
- **CVSS Score**: N/A (Researcher Rating: Critical; Microsoft Rating: Important)
- **CWE**: CWE-327: Use of a Broken or Risky Cryptographic Algorithm / CWE-669: Incorrect Resource Transfer Between Spheres
## Affected Systems
- **Products**: Microsoft Azure Active Directory B2C (Business to Customer)
- **Versions**: Cloud service environments active prior to February 15, 2023.
- **Configurations**:
- Environments using **Azure AD B2C custom policies**.
- Applications configured with **OAuth Authorization code flow (with PKCE)**.
- Environments following Microsoft’s default tutorial documentation for generating an encryption key of type “RSA” for the `TokenEncryptionKeyContainer`.
## Vulnerability Description
The vulnerability stems from a fundamental misuse of RSA cryptography in the generation of OAuth refresh tokens. In the affected Azure B2C configuration, refresh tokens were encrypted using an asymmetric RSA-OAEP algorithm.
In RSA, the **public key** is used for encryption. Because Azure B2C made this public key accessible (as is standard for public keys in OIDC/OAuth discovery endpoints), an attacker could obtain it and use it to encrypt a hand-crafted refresh token. Since the B2C service only checked if it could decrypt the token using its private key—and didn't adequately verify the authenticity of the token's origin—an attacker could forge tokens for any user account (via email or UUID) and redeem them for valid session tokens.
## Exploitation
- **Status**: PoC demonstrated by researchers; exploited in a controlled environment against the MSRC portal.
- **Complexity**: Low (The public key is trivial to obtain).
- **Attack Vector**: Network (Unauthenticated remote access).
## Impact
- **Confidentiality**: High (Access to arbitrary user data, including 0-day bug reports in the case of the MSRC portal).
- **Integrity**: High (Ability to impersonate any user and perform actions on their behalf).
- **Availability**: Low (Primary impact is account takeover).
## Remediation
### Patches
- **Service-side Fix (Dec 2022)**: Microsoft issued a narrow fix to address the information disclosure aspect.
- **Service-side Fix (Feb 2023)**: Microsoft rolled out a second fix to change how refresh tokens are handled, addressing the underlying crypto misuse.
- **Note**: These were backend changes; no mandatory customer software updates were required for basic remediation.
### Workarounds
- **Key Rotation**: Administrators are encouraged to rotate the cryptographic keys used for token encryption in the Azure portal.
- **Configuration Review**: Ensure custom policies do not rely solely on public-key encryption for internal state or token integrity where a shared secret or digital signature is more appropriate.
## Detection
- **Indicators of Compromise**: Discovery of unusual refresh token redemption patterns, specifically tokens redeemed that did not originate from a legitimate authorization code exchange.
- **Detection methods**: Review Azure AD B2C sign-in logs for unexpected IP addresses or locations associated with high-privilege accounts or security researcher accounts.
## References
- **Vendor Advisory**: Microsoft Security Response Center (MSRC)
- **Original Research**: hxxps[://]www[.]praetorian[.]com/blog/azure-b2c-crypto-misuse-and-account-compromise/
- **Azure Documentation**: hxxps[://]learn[.]microsoft[.]com/en-us/azure/active-directory-b2c/custom-policy-overview