Security Thoughts: Update for Active Directory Federation Services to Address Denial of Service (Important, MS16-020, KB3134222, CVE-2016-0037)

Today, Microsoft released MS16-020, a Security Bulletin addressing an issue with Active Directory Federation Services (AD FS) 3.0 on Windows Server 2012 R2. The vulnerability could allow denial of service if an attacker sends certain input data during forms-based authentication to an ADFS server, causing the server to become nonresponsive.

 

About Active Directory Federation Services

Active Directory Federation Services (AD FS) can be used to provide SAML-based connections that allow for secure sharing of identity information between trusted business partners (known as a federation) across an extranet. Active Directory Federation Services help avoid Active Directory trusts, the need to sync passwords, adjust naming conventions or expose further information about the environments.

Active Directory Federation Services (AD FS) are used intensively when you configure Single Sign-On as part of hybrid cloud implementations and when you configure Single Sign-On with cloud-based services like Salesforce.

 

About the vulnerability

CVE-2016-0037 is a denial of service vulnerability which manifests when a Windows Server 2012 R2-installation with the Active Directory Federation Services (AD FS) role, acting as Security Token Service (STS) server, fails to properly process certain input during forms-based authentication.

An attacker who exploits this vulnerability could  cause the server to become unresponsive.

Affected Operating Systems

Both Windows Server 2012 R2 installations with the Graphical User Interface (GUI) and without the GUI (also known as Server Core installations) are affected by this vulnerability.

AD FS on other Operating Systems are not vulnerable to CVE-2016-0037.

 

About the update

Security update KB3134222 resolves the above vulnerability in Active Directory Federation Services (ADFS). The update addresses the vulnerability by adding additional checks on input data during forms-based authentication.

KB3134222 replaces KB3045711, corresponding to MS15-040.

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

However, when a Windows Server 2012 R2-installation with the Active Directory Federation Services (AD FS) role, acting as Security Token Service (STS) server, does not offer forms-based authentication, it does not allow an attacker to enter the malicious input. The availability of forms-based authentication can be controlled through the Global Authentication Policy in the AD FS Management MMC Snap-in:

Global Authentication Policy for AD FS with only Forms Authentication enabled (click for original screenshot)

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

 

Call to Action

I urge you to install KB3134222 in a test environment as soon as possible, assess the risks and possible impact on your production environment and, then, roll out this update to all Windows Server 2012 R2-based systems with Active Directory Federation Services (AD FS) installed and acting as a Security Token Service (STS) Server.

Related Blog Posts

Active Directory Services on Server Core installations 
Statistics on Active Directory-related Security Bulletins   

Related KnowledgeBase Articles

3134222 MS16-020: Security update for Active Directory Federation Services to address denial of service: February 9, 2016

Further reading

Microsoft Security Bulletin Summary for February 2016 
Microsoft released 13 security bulletins for February Patch Tuesday, 6 rated critical 
Patch Tuesday February 2016 
Microsoft Patch Tuesday – February 2016 
VERT Threat Alert: February 2016 Patch Tuesday Analysis 
Microsoft February 2016 Patch Tuesday Delivers Unlucky 13 Security Fixes

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.