Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Bloodhound CE: Edge AZResetPassword to owners of groups with high-tier role assignments #944

Open
4 tasks done
zh54321 opened this issue Nov 8, 2024 · 0 comments
Open
4 tasks done

Bug: Bloodhound CE: Edge AZResetPassword to owners of groups with high-tier role assignments #944

zh54321 opened this issue Nov 8, 2024 · 0 comments
Labels
bug Something isn't working triage This issue requires triaging

Comments

@zh54321
Copy link

zh54321 commented Nov 8, 2024

Description:

The edged AZResetPassword is created between a low tier admin role and the owner of a group which have a high-tier admin role assigned.

Are you intending to fix this bug?

No.

Component(s) Affected:

BloodHound Edge

Steps to Reproduce:

  1. Create a role-assignable group
  2. Assign the role privileged authentication administrator to it (active assignment)
  3. Create a user and add him as the owner of the group created in step 1
  4. Create another user and assign him the role user administrator (active assignment)
  5. Collect the data with AzureHound and import it
  6. Check paths between the user created in step 4 and the role privileged authentication admin

Expected Behavior:

The edge should not be created.

Actual Behavior: Screenshots/Code Snippets/Sample Files:

According to BloodHound a User Administrator can reset the password of a user who owns a group with a privileged role assignment:
3_1

However, a low-tier admin (example user administrator) can't reset the of users who are related to high-privileged roles:
3_2

Microsoft also protects not only the members of the group who have a privileged role but also the owners. Therefore, the edge is wrong:
3_3
Source:
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/privileged-roles-permissions?tabs=admin-center#who-can-reset-passwords

Environment Information:

Bloodhound CE: 6.1.0
Neo4j: 4.4.38
PostgreSQL: 16.4 (Debian 16.4-1.pgdg120+2)
GraphDB version: v6.1.0
API Version: v6.1.0
AzureHound: v2.2.1

Potential Solution (optional):

BloodHound already does not create the edges for members of the privileged group. The same checks should be implemented for the owners.

Contributor Checklist:

  • I have searched the issue tracker to ensure this bug hasn't been reported before or is not already being addressed.
  • I have provided clear steps to reproduce the issue.
  • I have included relevant environment information details.
  • I have attached necessary supporting documents.
@zh54321 zh54321 added bug Something isn't working triage This issue requires triaging labels Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triage This issue requires triaging
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zh54321