When looking at the October 2021 Patch Tuesday today, I noticed three updates that specifically address vulnerabilities in Active Directory Federation Services (AD FS).

About the vulnerabilities

Three vulnerabilities were addressed today:

CVE-20221-40456 AD FS Security Feature Bypass Vulnerability

CVE-2021-40456 is a vulnerability that could allow an attacker to bypass BannedIPList entries for WS-Trust workflows in Active Directory Federation Services (AD FS) over the network. The CVSSv3 score of this vulnerability is 5.3/4.6.

This vulnerability only exists in AD FS servers running Windows Server 2019, Windows Server 2022, Windows Server, version 2004 and Windows Server, version 20H2.

CVE-2021-26442 HTTP.sys Elevation of Privilege Vulnerability

CVE-2021-26442 is a vulnerability that could allow an attacker to elevate to SYSTEM privileges on the local AD FS server. The CVSSv3 score of this vulnerability is 7.0/6.1. The vulnerability was responsibly disclosed by Erik Egsgard with Field Effect Software.

This vulnerability exists in AD FS servers running Windows Server 2008, and up.

CVE-2021-41361 AD FS Spoofing Vulnerability

CVE-2021-41361 is a vulnerability in AD FS during the logout redirect request to cross-site scripting of the post logout redirect URI. An attacker who successfully exploited this vulnerability over the network could leave an application using this AD FS library vulnerable to common XSS attacks. The CVSSv3 score of this vulnerability is 5.4/4.7. The vulnerability was responsibly disclosed by Nadish Shajahan.

This vulnerability exists in AD FS servers running Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server, version 2004 and Windows Server, version 20H2.

Call to action

I urge you to install the necessary security updates  on Windows Server installations, acting as Active Directory Federation Services (AD FS) servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, acting as Active Directory Federation Services (AD FS) servers, in the production environment.