Microsoft ADFS flaw allows attackers to bypass MFA safeguards

A vulnerability (CVE-2018-8340) in Microsoft Active Directory Federation Services (ADFS) allows a second authentication factor for one account to be used for all other accounts in an organization, Okta REX Security Engineer Andrew Lee has discovered.

By employing some simple phishing and leveraging the flaw, an attacker could compromise accounts belonging to other employees or executives and access sensitive information through a variety of company resources.

About the vulnerability (CVE-2018-8340) and possible attacks

“Many organizations rely on ADFS to manage identities and resources across their entire enterprise. In this role, ADFS functions as an organizational gatekeeper,” Lee explained.

“ADFS Agents are extensions of ADFS that enable it to interoperate with an MFA provider by delegating second-factor authentication to the provider. MFA providers include Microsoft itself and third-party vendors like Okta, Gemalto, Duo, Authlogics, RSA, and SecureAuth.”

The discovered vulnerability arises from the fact that the protocol checks the credentials and the second authentication factor for validity, but not whether the provided second factor is associated with the actual account being logged into.

“First, the attacker submits the credentials for Alice and Bob at the AD login page, in two separate browsers, one for each account. The attacker observes the responses from the AD server, and finds the information associated with the second factor authentication flow for each user, the MFA Context and MFA Token,” Leed shared.

“The responses also come with new session cookies. By combining Bob’s MFA Context with Alice’s session cookie, the attacker can finish logging in as Alice using Bob’s second factor and MFA Token. The attacker does not need Alice’s second factor to log into her account — Alice’s second factor could meanwhile stay safe and sound in her pocket as her account is being compromised.”

The most obvious person to perform a successful attack by leveraging this flaw is a malicious insider with his own legitimate account.

An attacker could also first compromise an account for which the legitimate owner has not yet enrolled a second factor (the attacker can do that instead after phishing the login credentials) or can social engineer the IT help desk into resetting the second factor of the first account he or she means to compromise.

These attack scenarios are easier to pull off with a lower-privileged account and, once that access is achieved, the attacker can leverage this vulnerability to easily compromise an account with high privileges.

What now?

Okta has attempted a mitigation in its ADFS Agent, but it turned out not to be compatible with all ADFS environments. They’ve also reported the flaw to Microsoft, and the company has released patches today.

“Organizations that have set up ADFS with an ADFS MFA Agent should consider updating Microsoft ADFS. Microsoft’s patch should fix the vulnerability without applying any update to ADFS agents,” Lee advised.

Okta did not have to implement changes in its ADFS Agent, but advises users of other ADFS Agents to check with thir vendors to see if they need to update them.