During the November 2014 Patch Tuesday, Microsoft has released Security Bulletin MS114-077, that describes how a vulnerability in Active Directory Federation Services (AD FS) could allow unintentional information disclosure and how you can fix this by installing the security update that is part of KB3003381 on your Active Directory Federation Servers, including proxies.
The security update resolves a privately reported vulnerability in Active Directory Federation Services (AD FS). The vulnerability could allow unintentional information disclosure if a person leaves their browser open after logging off from an application, and an attacker reopens the application in the browser immediately after the person has logged off.
This problem has been described in CVE-2014-6331 as “when a configured SAML Relying Party lacks a sign-out endpoint, does not properly process logoff actions, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation”.
Affected implementations of AD FS
This security update is rated Important for the following implementations of Active Directory Federation Services (AD FS):
- AD FS 2.0 when installed on 32-bit and x64-based editions of Windows Server 2008
- AD FS 2.0 when installed on x64-based editions of Windows Server 2008 R2
- AD FS 2.1 when installed on x64-based editions of Windows Server 2012
- AD FS 3.0 when installed on x64-based editions of Windows Server 2012 R2
Microsoft has not identified any mitigating factors for this vulnerability.
Microsoft has not identified any workarounds for this vulnerability.
Call to Action
Since no mitigating factors or workarounds are available, I urge you to install KB3003381 in a test environment as soon as possible, assess the risks and possible impact on your production environment and, then, roll out this update to all systems with the Active Directory Federation Services role installed, including ADFS Proxies and Web Application Proxies.