Security News Microsoft Flaw Allows Full Multi-Factor Authentication Bypass

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
A vulnerability in Microsoft’s Active Directory Federation Services (ADFS) has been uncovered that would allow malicious actors to bypass multi-factor authentication (MFA) safeguards.

Many organizations rely on ADFS to manage identities and resources across their entire enterprise, and ADFS functions as an organizational gatekeeper, using MFA to verify logins. The flaw (CVE-2018-8340), disclosed today, allows a second factor for one account to be used for all other accounts within an organization.

In other words, anyone with a legitimate user ID and password combination (credentials that can be phished by a bad actor) can use any MFA key that’s been registered on the system (typically a static option such as a second email, a smart-card PIN or a phone number, also all phish-able or accessible via social engineering or exploiting device vulnerabilities) to unlock any account on the system.

When a user attempts to go through the authentication process, the server transmits an encrypted “context” log. The file is correctly signed and encrypted, and contains the MFA token from the vendor. However, that context log doesn’t actually contain the user name, so there’s no way to check at any point that the MFA key is being used by the right person.

“Microsoft was not correctly checking that the credentials being used match the identity of the MFA – the system only sees a valid user name and password, and a valid MFA, but won’t check that both of those factors belong to the same identity,” explained Matias Brutti, Okta’s senior manager of research and exploitation, in an interview with Threatpost. “It’s a very simple mistake. But the system needs to correctly validate that the payload matches the user it’s trying to authenticate.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top