Vulnerability in Active Directory Federation Services could allow elevation of privilege (Important, CVE-2015-1757, MS15-062)

Today, Microsoft released update 3062577 as part of its June 2015 Patch Tuesday to address a cross-site scripting vulnerability that affects Active Directory Federation Services (AD FS) 2.0 and Active Directory Federation Services (AD FS) 2.1 installations.

Note:
This means Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012 are affected, but Windows Server 2012 R2 with its new IIS-less Active Directory Federation Services (AD FS) implementation is not affected.

 

About the vulnerability

An elevation of privilege vulnerability exists in the way that URLs are sanitized in Active Directory Federation Services (AD FS). An attacker who successfully exploited this vulnerability could perform cross-site scripting attacks and run script in the security context of the logged-on user.

To exploit this vulnerability, an attacker must have the ability to submit a specially crafted URL to a target site. Due to the vulnerability, in specific situations specially crafted script is not properly sanitized, which subsequently could lead to an attacker-supplied script being run in the security context of a user who views the malicious content. For cross-site scripting attacks, this vulnerability requires that a user be visiting a compromised site for any malicious action to occur. For instance, after an attacker has successfully submitted a specially crafted URL to a target site, any webpage on that site that contains the specially crafted URL is a potential vector for cross-site scripting attacks. When a user visits a webpage that contains the specially crafted URL, the script could be run in the security context of the user.

Microsoft received information about this vulnerability from John Hollenberger and Tate Hansen through coordinated vulnerability disclosure.

When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

 

About the update

The security update addresses the vulnerability by correcting how AD FS handles the HTML encoding of HTTP responses.

This security update is rated Important for Active Directory Federation Services 2.0 and Active Directory Federation Services 2.1. Update 3062577 replaces update 3003381 (MS14-077).

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

As a workaround, Use a web application firewall to block suspicious requests to /adfs/ls where the query parameter "wct" contains HTML markup or javascript code.

 

Call to Action

I urge you to install KB3062577 in a test environment as soon as possible, assess the risks and possible impact on your production environment and, then, roll out this update to all systems with Active Directory Federation Services (AD FS) 2.0 and/or Active Directory Federation Services (AD FS) 2.1 installed, including ADFS Proxies.

Related blogposts

Update your Federation Servers with MS14-077 to patch CVE-2014-6331 (Important)

Related Knowledgebase articles

3062577 Vulnerability in Active Directory federation services could allow elevation of privilege: June 9, 2015
3003381 Vulnerability in Active Directory Federation Services could allow information disclosure: November 11, 2014

Further reading

Microsoft Security Bulletin MS15-062 – Important
Terminology used in AD FS
Microsoft Active Directory Federation Services CVE-2015-1757 Privilege Escalation Vulnerability

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.