According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker would have to send the victim a malicious file that the victim would have to execute. According to the CVSS metric, successful exploitation of this vulnerability could lead to total loss of confidentiality (C:H)? What does that mean for this vulnerability? Exploiting this vulnerability will allow an attacker to access resources that are protected by conditional access policies based solely on device compliance state. For more information, please refer to Scenarios for using Conditional Access with Microsoft Intune - Microsoft Intune | Microsoft Docs. To what scenario is this vulnerability applicable? This vulnerability only affects Azure AD-joined autopilot devices that are also used for conditional access for compliance, and only impacts Autopilot pre-registered devices that are enabled for either self-deploying mode or pre-provisioning mode, either of which utilize TPM-based device authentication instead of user-based credentials/MFA. What is the nature of the spoofing? Microsoft Account (MSA) device ticket playback from one device to another allows a second non-authorized device to perform AAD join and to replace the original device.
<a href="https://twitter.com/_dirkjan">Dirk-jan Mollema</a>