Update your Federation Servers with MS14-077 to patch CVE-2014-6331 (Important)

During the November 2014 Patch Tuesday, Microsoft has released Security Bulletin MS114-077, that describes how a vulnerability in Active Directory Federation Services (AD FS) could allow unintentional information disclosure and how you can fix this by installing the security update that is part of KB3003381 on your Active Directory Federation Servers, including proxies.

 

About MS14-077

The security update resolves a privately reported vulnerability in Active Directory Federation Services (AD FS). The vulnerability could allow unintentional information disclosure if a person leaves their browser open after logging off from an application, and an attacker reopens the application in the browser immediately after the person has logged off.

This problem has been described in CVE-2014-6331 as “when a configured SAML Relying Party lacks a sign-out endpoint, does not properly process logoff actions, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation”.

Affected implementations of AD FS

This security update is rated Important for the following implementations of Active Directory Federation Services (AD FS):

  • AD FS 2.0 when installed on 32-bit and x64-based editions of Windows Server 2008
  • AD FS 2.0 when installed on x64-based editions of Windows Server 2008 R2
  • AD FS 2.1 when installed on x64-based editions of Windows Server 2012
  • AD FS 3.0 when installed on x64-based editions of Windows Server 2012 R2

Mitigating factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

 

Call to Action

Since no mitigating factors or workarounds are available, I urge you to install KB3003381 in a test environment as soon as possible, assess the risks and possible impact on your production environment and, then, roll out this update to all systems with the Active Directory Federation Services role installed, including ADFS Proxies and Web Application Proxies.

Related KnowledgeBase Articles

3003381 MS14-077: Vulnerability in Active Directory Federation Services could allow information disclosure: November 11, 2014

Further reading

Microsoft Security Bulletin MS14-077 – Important
Assessing Risk for the November 2014 Security Updates
Terminology used in ADFS

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.