What is the Issue?
A vulnerability was discovered in the way multi factor authentication requests are handled by Microsoft’s Active Directory Federation Services (ADFS). It appears that an attacker can compromise a user’s account by bypassing the multi-factor token request. If an attacker has access to credentials for multiple accounts (2 or more) under the same organization, they can then compromise another user’s session by stealing the details associated with their session cookie. Once the details to the session cookie are compromised, any multi-factor token for either of the accounts can be used to complete the multi-factor authentication phase for single sign-on.
Why is this noteworthy?
As the internet continues to provide cloud-based applications and services, authentication via single sign-on is becoming more important. Microsoft ADFS is used by many businesses as a Single Sign-On (SSO) service, and as a way to manage identities and resources. It’s often integrated with Microsoft Active Directory in order to manage extranet authentication with services such as the Office 365 suite which includes Lync, SharePoint, and also Microsoft Exchange to name a few. Amazon AWS is also another service found integrated with Microsoft ADFS.
What is the exposure or risk?
Microsoft Windows Server 2016, 2012 R2 and Windows 10 Servers that are unpatched are exposed to this security bypass vulnerability.
What are the recommendations?
SKOUT recommends that users of ADFS on affected servers are patched according to CVE-2018-8340.
References:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8340
- https://www.okta.com/security-blog/2018/08/multi-factor-authentication-microsoft-adfs-vulnerability
If you have any questions, please contact our Security Intelligence Center.