Last Tuesday, during Microsoft’s August 2018 Patch Tuesday, Microsoft released an important security update for all supported Operating Systems to address a security feature bypass vulnerability that exists when Active Directory Federation Services (AD FS) improperly handles multi-factor authentication requests.

About the vulnerability

Malicious actors often compromise passwords to initiate and expand security breaches. To help protect themselves, many organizations implement Multi-Factor Authentication (MFA), requiring that users demonstrate access to an additional factor, such as a phone, in order to log in to critical systems.

Due to a weakness in the MFA protocol for Microsoft’s authentication system, Active Directory Federated Services (AD FS), if an attacker obtains a single user’s password and second factor, the attacker can use the second factor to complete the second-factor challenge for any account in the organization. This is similar to turning a room key into a master key for every door in the building – but in this building, each door has a second lock that accepts a passcode. The exploit makes it much easier for an attacker who has obtained limited access to expand their reach toward more valuable targets.

Through its Extensible Authentication Framework (EAF), AD FS supports agents as extensions to ADFS as MFA providers. This vulnerabilty was tested with Microsoft’s own MFA Providers and third-party vendors Authlogics, Duo, Gemalto, Okta, RSA, and SecureAuth.

To exploit this vulnerability, an attacker could send a specially crafted authentication request, where the attacker combines the MFA context of one user account (for which the username, password and second authentication mechanism are known and used) and the session cookie for any account the attacker knows the username and password, and wants to gain access to.

An attacker who successfully exploited this vulnerability could bypass some, but not all, of the authentication factors.

About the update

Microsoft issued a security update, that corrects how AD FS handles multi-factor authentication requests as part of the following update packages:

Miscellaneous information

Server Core

Server Core installations of Windows Server are vulnerable to this attack vector and need to be updated, too.

Reboot requirements

Admins need to restart the Operating System to apply the update. However, admins do not have to restart their Domain Controllers a second time to apply the above registry change.

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Acknowledgements

The vulnerability was responsibly disclosed three months ago to Microsoft by Andrew Lee, security engineer on Okta’s Research and Exploitation (REX) Team.

Known issues

On Windows Server, version 1803, Launching Microsoft Edge using the New Application Guard Window may fail; normal Microsoft Edge instances are not affected. If you’ve experienced the issue and already installed KB4343909, uninstall it. Install KB4340917 first, then reinstall KB4343909.

On Windows Server, version 1709, some non-English platforms may display strings in English instead of the localized language.

KB4343888 for Windows Server 2012 R2 is advertised as a security-only update to CVE-2018-8340, but also provides protections against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) that affects Intel Core processors and Intel Xeon processors (CVE-2018-3620 and CVE-2018-3646). Make sure previous OS protections against Spectre Variant 2 and Meltdown vulnerabilities are enabled using the registry settings to take advantage of these protections.

Call to action

I urge Active Directory admins to apply the update to AD FS Servers, acting as Security Token Servers (STSs), throughout their networking environment, following their normal test procedures.

Further reading

Multi-Factor Mixup: Who Were You Again?
CVE-2018-8340
CVE-2018-8340 | AD FS Security Feature Bypass Vulnerability