Today, Microsoft released MS16-020, a Security Bulletin addressing an issue with Active Directory Federation Services (AD FS) 3.0 on Windows Server 2012 R2. The vulnerability could allow denial of service if an attacker sends certain input data during forms-based authentication to an ADFS server, causing the server to become nonresponsive.
About Active Directory Federation Services
Active Directory Federation Services (AD FS) can be used to provide SAML-based connections that allow for secure sharing of identity information between trusted business partners (known as a federation) across an extranet. Active Directory Federation Services help avoid Active Directory trusts, the need to sync passwords, adjust naming conventions or expose further information about the environments.
Active Directory Federation Services (AD FS) are used intensively when you configure Single Sign-On as part of hybrid cloud implementations and when you configure Single Sign-On with cloud-based services like Salesforce.
About the vulnerability
CVE-2016-0037 is a denial of service vulnerability which manifests when a Windows Server 2012 R2-installation with the Active Directory Federation Services (AD FS) role, acting as Security Token Service (STS) server, fails to properly process certain input during forms-based authentication.
An attacker who exploits this vulnerability could cause the server to become unresponsive.
Affected Operating Systems
Both Windows Server 2012 R2 installations with the Graphical User Interface (GUI) and without the GUI (also known as Server Core installations) are affected by this vulnerability.
AD FS on other Operating Systems are not vulnerable to CVE-2016-0037.
About the update
Security update KB3134222 resolves the above vulnerability in Active Directory Federation Services (ADFS). The update addresses the vulnerability by adding additional checks on input data during forms-based authentication.
Microsoft has not identified any mitigating factors for this vulnerability.
However, when a Windows Server 2012 R2-installation with the Active Directory Federation Services (AD FS) role, acting as Security Token Service (STS) server, does not offer forms-based authentication, it does not allow an attacker to enter the malicious input. The availability of forms-based authentication can be controlled through the Global Authentication Policy in the AD FS Management MMC Snap-in:
Microsoft has not identified any workarounds for this vulnerability.
Call to Action
I urge you to install KB3134222 in a test environment as soon as possible, assess the risks and possible impact on your production environment and, then, roll out this update to all Windows Server 2012 R2-based systems with Active Directory Federation Services (AD FS) installed and acting as a Security Token Service (STS) Server.
Related Blog Posts
Related KnowledgeBase Articles
Microsoft Security Bulletin Summary for February 2016
Microsoft released 13 security bulletins for February Patch Tuesday, 6 rated critical
Patch Tuesday February 2016
Microsoft Patch Tuesday – February 2016
VERT Threat Alert: February 2016 Patch Tuesday Analysis
Microsoft February 2016 Patch Tuesday Delivers Unlucky 13 Security Fixes