Workspace 365

Do note: this article is only available to Hosted &amp; Self-Hosted partners.

We want to give a short update on the Hotfix on 11-7-2023. A more detailed Post Mortem with appropriate measures and chronological summary will follow.

An authorised environment user could perform some actions intended only for authorised environment administrators if the action endpoint URL's were known.

So an attacker needed authorized access to the victim's Workspace 365 environment to make use of this.

We've rolled out a hotfix in 3.62.1 and 3.63.1 which patches this misconfiguration. For Hosted partners, this has already been deployed on 11-07-2023 22:00 CET. For Self-Hosted partners, we still strongly advise to deploy this hotfix if you have not already done so.

To be clear, we have not found any signs that this misconfiguration actually has been abused, and we keep monitoring this. As precaution we recommend you to re-generate the Azure AD sync API key or SCIM API key in the environment if you have enabled this functionality. Ensure to update the API key in the synctool or SCIM configuration as well.

When you re-generate the key, there is no connection (i.e. no sync) between your AAD and Workspace. However, all users will remain in the workspace and will still be able to log in during this period.

Check if “Automated user provisioning using SCIM” is selected

Re-generate the key and note this down (tip: store this key somewhere safe)

Go to the support article <a href="https://intercom-help.eu/workspace-365-eu/en/articles/175389" rel="nofollow noopener noreferrer" target="_blank">Azure SCIM client setup</a> and read step 2.12

In Azure AD, replace the Access Token with the key you generated in step 5

1. Go to the Workspace admin settings page
2. Go to Users &amp; Groups
3. Select the User Provisioning page
4. Check if “Automated user provisioning using SCIM” is selected
5. Re-generate the key and note this down (tip: store this key somewhere safe)
6. Go to Azure AD
7. Go to the support article <a href="https://intercom-help.eu/workspace-365-eu/en/articles/175389" rel="nofollow noopener noreferrer" target="_blank">Azure SCIM client setup</a> and read step 2.12
8. In Azure AD, replace the Access Token with the key you generated in step 5
9. Save your configuration

Check if “Azure Active Directory (AD) sync” is selected

Open your <a href="https://intercom-help.eu/workspace-365-eu/en/articles/175393" rel="nofollow noopener noreferrer" target="_blank">Azure AD configuration UI</a>

Replace the API Authentication token with the key you generated from step 5

1. Go to the Workspace admin settings page
2. Go to Users &amp; Groups
3. Select the User Provisioning page
4. Check if “Azure Active Directory (AD) sync” is selected
5. Re-generate the key and note this down (tip: store this key somewhere safe)
6. Open your <a href="https://intercom-help.eu/workspace-365-eu/en/articles/175393" rel="nofollow noopener noreferrer" target="_blank">Azure AD configuration UI</a>
7. Replace the API Authentication token with the key you generated from step 5
8. Save your configuration

Instructions to re-generate key

SCIM

AAD synctool