Important Update for Active Directory Federation Services (MS17-019, KB4010320, CVE-2017-0043)

Today, for its March 2017 Patch Tuesday, Microsoft released an important security update for Active Directory Federation Services (AD FS).

The security update addresses a vulnerability that could allow information disclosure if an attacker sends a specially crafted request to an ADFS server, allowing the attacker to read sensitive information about the target system..

 

About the vulnerability

An information disclosure vulnerability exists when Windows Active Directory Federation Services (AD FS) honors XML External Entities. An authenticated attacker who successfully exploited this vulnerability would be able to read sensitive information about the target system.

To exploit this condition, an authenticated attacker would need to send a specially crafted request to the AD FS implementation.

Note that the information disclosure vulnerability by itself would not be sufficient for an attacker to compromise a system. However, an attacker could combine this vulnerability with additional vulnerabilities to further exploit the system.

The vulnerability is described in detail in CVE-2017-0043.

Affected Operating Systems

This security update is rated Important for all supported releases of Windows Server:

  • Windows Server 2008,
  • Windows Server 2008 R2,
  • Windows Server 2012,
  • Windows Server 2012 R2, and
  • Windows Server 2016

 

About the update

The update addresses the vulnerability by adding additional verification checks in ADFS and causing it to ignore malicious XML External Entities.

To apply the update, install the following update per Windows and/or Windows Server version:

Windows Server 2008 with Service Pack 2 x86 KB3217882
Windows Server 2008 with Service Pack 2 x64 KB3217882
Windows Server 2008 R2 with Service Pack 1 KB4012212 or KB4012217
Windows Server 2012 KB4012214 or KB4012217
Windows Server 2012 R2 KB4012216 or KB4012213
Windows Server 2016 KB4013429

 

Call to action

I urge you to install the necessary security updates  on Windows Server installations, acting as Active Directory Federation Services (AD FS) Servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, acting as Active Directory Federation Services (AD FS) Servers, in the production environment.

leave your comment