An important update addresses a Spoofing Vulnerability in AD FS

Yesterday, for its September 2020 Patch Tuesday, Microsoft released an important security update for Active Directory Federation Services (AD FS).

About the vulnerability

A spoofing vulnerability exists when Active Directory Federation Services (AD FS) on Windows Server 2016 and Windows Server 2019 improperly handles multi-factor authentication requests.

This vulnerability is described in detail in CVE-2020-0837.

To exploit this vulnerability, an attacker could send a specially crafted authentication request. An attacker who successfully exploited this vulnerability could bypass some, but not all, of the authentication factors, rendering multi-factor authentication protections useless.

Affected Operating Systems

This security update is rated Important for the following releases of Windows Server:

  1. Windows Server 2016
  2. Windows Server 2019
  3. Windows Server, version 1903
  4. Windows Server, version 1909
  5. Windows Server, version 2004

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

About the update

Microsoft has released updates for the affected Operating Systems, This security update corrects how AD FS handles multi-factor authentication requests.

To apply the update, install the following update per Windows and/or Windows Server version:

  1. Windows Server 2016: KB4577015
  2. Windows Server 2019: KB4570333
  3. Windows Server, version 1903 and Windows Server, version 1909: KB574727
  4. Windows Server, version 2004: KB571756

Call to action

I urge you to install the necessary security updates  on Windows Server installations, acting as Active Directory Federation Services (AD FS) servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, acting as Active Directory Federation Services (AD FS) servers, in the production environment.

AD FS Admins who do not install this update on their AD FS servers may feel protected against attacks with the multi-factor authentication requirements in place, while in reality these requirements can be circumvented on the affected Operating Systems. As we all know that Your Pa$$word doesn't matter.

Further reading

CVE-2020-0837 
CVE-2020-0837 | ADFS Spoofing Vulnerability 
Your Pa$$word doesn't matter  
A Vulnerability in AD FS allows for bypassing the MFA Security Feature (CVE-2018-8340, Important) 
HOWTO: Enable Azure Multi-factor Authentication on AD FS

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.