Microsoft ADFS Vulnerability Enables Threat Actors to Circumvent Multi-Factor Authentication

A vulnerability (CVE-2018-8340) was discovered in Microsoft’s Active Directory Federation Services (ADFS) which can permit an attacker to very easily circumvent multi-factor authentication (MFA).

ADFS is employed by a lot of firms to secure accounts by employing a second factor to a password to protect accounts, such as vendors SecureAuth, Okta and RSA. It was an Okta security researcher, Andrew Lee, who identified the vulnerability.

An attacker can take advantage of the vulnerability by getting an employee’s login details plus a legitimate account authentication token. The attacker can use the token as authentication on some other account in the Active Directory with two-factor authentication established. All that’s needed is a username and password, which a threat actor could get via a phishing campaign or through a brute force attack on an account with a weak password.

Obtaining the second factor token is somewhat more difficult. The second factor is typically a mobile phone number, an email address or a smart card PIN number. That data could also probably be obtained through phishing or by impersonating a worker and asking for IT support to reset a user’s MFA token. It is simpler for an insider to take advantage of the vulnerability, since that person is most likely to have a valid MFA token.

The vulnerability is due to the way ADFS communicates whenever a user signs in. When there is an attempt to login, the server transfers an encrypted context log with the MFA token. However, the context log does not contain the username. Provided that a MFA token was signed up on one account it could be utilized as authentication on one more. ADFS doesn’t verify that the token was registered by the person trying to access the account.

Two browsers could be utilized to access two accounts. One browser is utilized to gain access to an account utilizing the right username, password, and MFA token. The second browser is utilized to gain access to an account where the MFA token isn’t owned. By acquiring details from the first session, an attacker can utilize the data to gain access to the second account. It is likely to gain access to any account on the network employing this approach, as long as the username and password is identified.

Two-factor authentication could stop unauthorized account access though the system isn’t perfect and could be bypassed, as revealed by this vulnerability. There were a lot of data breaches documented where there is a set-up multi-factor authentication but failed to protect the accounts. The lately identified breach at Reddit is one more example.

After finding the vulnerability, researcher Lee informed Microsoft, which issued a vulnerability patch and presented it Patch Tuesday on August 14.