Microsoft issued an advisory regarding Windows Hello for Business (WHfB) and its implementation within Active Directory, as public keys remain accessible even when the device is removed from Active Directory.
A new vulnerability identified in WHfB could let an attacker authenticate as a user in the Active Directory by making use of orphaned keys. Microsoft was quick to provide a workaround, especially since the problem originates from certain Trusted Platform Module (TPM) chipsets and not the software itself.
According to a Dark Reading report, security researcher Michael Grafnetter found the issue while investigating WHfB. He found that, when a user sets up WHfB, the credentials are stored in Active Directory and linked to a user and device. The problem arises when the device is removed, and the corresponding keys become orphaned.
“Microsoft is aware of an issue in Windows Hello for Business (WHfB) with public keys that persist after a device is removed from Active Directory, if the AD exists,” read Microsoft’s advisory. “After a user sets up Windows Hello for Business (WHfB), the WHfB public key is written to the on-premises Active Directory.”
“The WHfB keys are tied to a user and a device that has been added to Azure AD, and if the device is removed, the corresponding WHfB key is considered orphaned. However, these orphaned keys are not deleted even when the device it was created on is no longer present. Any authentication to Azure AD using such an orphaned WHfB key will be rejected. However, some of these orphaned keys could lead to the following security issue in Active Directory 2016 or 2019, in either hybrid or on-premises environments.”
The Trusted Platform Modules (TPMs) affected by the vulnerability offer an attacker the means to compute a WHfB private key by using the orphaned public keys. Of course, the next step would be to use that key to authenticate within the targeted domain with the Public Key Cryptography for Initial Authentication (PKINIT).
The problem only affects on-premises-only environments, which consists of Active Directory 2016 or 2019, both with AD FS. Microsoft also offers advice for administrators who want to mitigate some of the effects.
The use of WHfB is usually tightly controlled in company environments, for security purposes. Organizations choose login with direct credentials (user name and password) because they provide better security. It doesn’t matter if users choose complex, powerful passwords, because they can be bypassed with other login methods.