Security Thoughts: Azure Active Directory Passport Library for Node.js is vulnerable for authentication bypass (CVE-2016-7191)

Reading Time: 2 minutes

js-logoYesterday night, we received a notification that a vulnerability in some older versions of the Azure Active Directory Passport Library for Node.js (Passport-Azure-AD) is vulnerable for authentication bypassing, because the ValidateIssuer setting wasn’t recognized, resulting in incorrectly validating tokens.

An attacker who successfully exploits this vulnerability could bypass Azure Active Directory authentication to a targeted host web application. To exploit this vulnerability, an attacker would have to send a specially crafted token to the target web application that contains a valid user's identity claims. This update addresses the vulnerability by correcting how identity tokens are validated when Passport strategies take advantage of Azure Active Directory.

  

About the Azure Active Directory Passport Library for Node.js

Passport-Azure-AD for Node.js is a collection of Passport strategies , provided on GitHub by (mostly) Microsoft employees, that help organizations integrate node applications with Azure Active Directory. It includes OpenID Connect, WS-Federation, and SAML-P authentication and authorization.

These providers let you use the many features of Passport-Azure-AD for Node.js, including web single sign-on (WebSSO), Endpoint Protection with OAuth, and JWT token issuance and validation.

 

Affected versions

The vulnerability exists in web applications that use outdated versions of the Passport-Azure-AD for Node.js library. The following versions of the Azure Active Directory Passport Library for Node.js (Passport-Azure-AD) are vulnerable:

  • Passport-Azure-AD v1.0
  • Passport-Azure-AD v1.4.5
  • Passport-Azure-AD v2.0

This vulnerability only affects web applications that use the Passport-Azure-AD for Node.js library to take advantage of Azure Active Directory for authentication.

Note:
Standard Azure AD authentication that does not use the Passport-Azure-AD for Node.js library is not vulnerable.

 

Call to Action

You are strongly advised to update the Azure Active Directory Passport Library in your Node.js project(s) to one of the following versions:

  • Passport-Azure-AD v1.4.6
  • Passport-Azure-AD v2.0.1

You can download these libraries here.

 

Related knowledgebase articles

3187742 Security update for the Passport-Azure-AD for Node.js library 

Further Reading

Security vulnerability details for passport-azure-ad <1.4.6, 2.0.0 
Microsoft Azure Active Directory Passport CVE-2016-7191 Authentication Bypass Vulnerability

Posted on September 29, 2016 by Sander Berkouwer in Entra ID, Security Updates

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.