Yesterday, for its September 2020 Patch Tuesday, Microsoft released an important security update for Active Directory Federation Services (AD FS).
About the vulnerability
A spoofing vulnerability exists when Active Directory Federation Services (AD FS) on Windows Server 2016 and Windows Server 2019 improperly handles multi-factor authentication requests.
This vulnerability is described in detail in CVE-2020-0837.
To exploit this vulnerability, an attacker could send a specially crafted authentication request. An attacker who successfully exploited this vulnerability could bypass some, but not all, of the authentication factors, rendering multi-factor authentication protections useless.
Affected Operating Systems
This security update is rated Important for the following releases of Windows Server:
- Windows Server 2016
- Windows Server 2019
- Windows Server, version 1903
- Windows Server, version 1909
- Windows Server, version 2004
Mitigations
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
About the update
Microsoft has released updates for the affected Operating Systems, This security update corrects how AD FS handles multi-factor authentication requests.
To apply the update, install the following update per Windows and/or Windows Server version:
- Windows Server 2016: KB4577015
- Windows Server 2019: KB4570333
- Windows Server, version 1903 and Windows Server, version 1909: KB574727
- Windows Server, version 2004: KB571756
Call to action
I urge you to install the necessary security updates on Windows Server installations, acting as Active Directory Federation Services (AD FS) servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, acting as Active Directory Federation Services (AD FS) servers, in the production environment.
AD FS Admins who do not install this update on their AD FS servers may feel protected against attacks with the multi-factor authentication requirements in place, while in reality these requirements can be circumvented on the affected Operating Systems. As we all know that Your Pa$$word doesn't matter.
Further reading
CVE-2020-0837
CVE-2020-0837 | ADFS Spoofing Vulnerability
Your Pa$$word doesn't matter
A Vulnerability in AD FS allows for bypassing the MFA Security Feature (CVE-2018-8340, Important)
HOWTO: Enable Azure Multi-factor Authentication on AD FS
Login