silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,057
A vulnerability in Microsoft’s Active Directory Federation Services (ADFS) has been uncovered that would allow malicious actors to bypass multi-factor authentication (MFA) safeguards.
Many organizations rely on ADFS to manage identities and resources across their entire enterprise, and ADFS functions as an organizational gatekeeper, using MFA to verify logins. The flaw (CVE-2018-8340), disclosed today, allows a second factor for one account to be used for all other accounts within an organization.
In other words, anyone with a legitimate user ID and password combination (credentials that can be phished by a bad actor) can use any MFA key that’s been registered on the system (typically a static option such as a second email, a smart-card PIN or a phone number, also all phish-able or accessible via social engineering or exploiting device vulnerabilities) to unlock any account on the system.
When a user attempts to go through the authentication process, the server transmits an encrypted “context” log. The file is correctly signed and encrypted, and contains the MFA token from the vendor. However, that context log doesn’t actually contain the user name, so there’s no way to check at any point that the MFA key is being used by the right person.
“Microsoft was not correctly checking that the credentials being used match the identity of the MFA – the system only sees a valid user name and password, and a valid MFA, but won’t check that both of those factors belong to the same identity,” explained Matias Brutti, Okta’s senior manager of research and exploitation, in an interview with Threatpost. “It’s a very simple mistake. But the system needs to correctly validate that the payload matches the user it’s trying to authenticate.”