Today, for its March 2017 Patch Tuesday, Microsoft released an important security update for Active Directory Federation Services (AD FS).
The security update addresses a vulnerability that could allow information disclosure if an attacker sends a specially crafted request to an ADFS server, allowing the attacker to read sensitive information about the target system..
About the vulnerability
An information disclosure vulnerability exists when Windows Active Directory Federation Services (AD FS) honors XML External Entities. An authenticated attacker who successfully exploited this vulnerability would be able to read sensitive information about the target system.
To exploit this condition, an authenticated attacker would need to send a specially crafted request to the AD FS implementation.
Note that the information disclosure vulnerability by itself would not be sufficient for an attacker to compromise a system. However, an attacker could combine this vulnerability with additional vulnerabilities to further exploit the system.
The vulnerability is described in detail in CVE-2017-0043.
Affected Operating Systems
This security update is rated Important for all supported releases of Windows Server:
- Windows Server 2008,
- Windows Server 2008 R2,
- Windows Server 2012,
- Windows Server 2012 R2, and
- Windows Server 2016
About the update
The update addresses the vulnerability by adding additional verification checks in ADFS and causing it to ignore malicious XML External Entities.
To apply the update, install the following update per Windows and/or Windows Server version:
|Windows Server 2008 with Service Pack 2 x86||KB3217882|
|Windows Server 2008 with Service Pack 2 x64||KB3217882|
|Windows Server 2008 R2 with Service Pack 1||KB4012212 or KB4012217|
|Windows Server 2012||KB4012214 or KB4012217|
|Windows Server 2012 R2||KB4012216 or KB4012213|
|Windows Server 2016||KB4013429|
Call to action
I urge you to install the necessary security updates on Windows Server installations, acting as Active Directory Federation Services (AD FS) Servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, acting as Active Directory Federation Services (AD FS) Servers, in the production environment.