Microsoft Flaw in ADFS Opens Doors for Malicious Hackers

By Enterprise Security Magazine | Friday, November 30, 2018

A vulnerability that allows persons with malicious intent to bypass multi-factor authentication (MFA) safeguards in Microsoft’s Active Directory Federation Services (ADFS) has been discovered. This puts organizations that where ADFS functions as an organizational gatekeeper by using MFA to verify logins at high risk.

Today, many organizations use ADFS to manage identities and resources throughout their enterprise. This vulnerability would allow a second factor of one user account to be used for all the other accounts within the organization. In simpler terms, it means that any person who has access to a legitimate user ID and password can use any of the MFA keys that have been registered in the system to unlock all other registered accounts.

The process followed here is that whenever a user attempts the authentication process, the server sends an encrypted context log. This log is correctly signed and encrypted and contains the vendor’s MFA token. The shortcoming of this is that the log does not have the username and therefore it cannot be checked whether the MFA key is of the corresponding user. Microsoft only checks for a valid username and password, and for a valid MFA key. It does not check whether these two factors belong to the same identity.

The impact of the flaw is significant. This is because obtaining the first and second factors does not require much effort for a malicious actor with moderate skill sets. The possibilities of gain first-factor credentials include phishing techniques, compromising a database and cracking password hashes, compromising a host with some plaintext passwords in memory, guessing common passwords, and guessing common modifications of compromised passwords for the same user from a different environment. While the possibilities for gaining second-factor credentials include insider threat whereby the user can use their MFA key, a person who socially engineers the IT help desk into resetting the second-factor, planting a USB keylogger, or exploiting Bluetooth vulnerabilities.

Despite this, experts firmly believe that MFA is the way forward. Therefore, enterprises have to do due diligence and ensure such potholes do not exist in the MFA used by them. Microsoft has also been vigilant to the issue and has released a patch for the flaw within a week.