Microsoft ADFS Vulnerability Allows Threat Actors to Bypass Multi-Factor Authentication

A vulnerability (CVE-2018-8340) has been identified in Microsoft’s Active Directory Federation Services (ADFS) which could allow an attacker to easily bypass multi-factor authentication (MFA).

ADFS is utilized by many companies to protect accounts by adding a second factor to a password to secure accounts, including vendors such as SecureAuth, RSA and Okta. It was a security researcher from Okta, Andrew Lee, who discovered the vulnerability.

To take advantage of the vulnerability, the attacker needs to obtain an employee’s login credentials and have a valid authentication token for that account. The token can then be used as authentication on any other account in Active Directory that has two-factor authentication set up. All that is required is a username and password. A threat actor can acquire a username and a password through a phishing campaign or via a brute force attack to guess a weak password.

Getting the second factor token is a bit more challenging. The second factor is usually a cell phone number or a smart card PIN number or email address. That data can also possibly be acquired by means of phishing or by impersonating an employee and requesting IT support reset the MFA token of a user. It is easier for an insider to exploit the vulnerability, because that person is likely to already possess a legitimate MFA token.

The vulnerability is a result of the way ADFS communicates when a user logs in. When an attempt is made to login, the server transmits an encrypted context log that includes the MFA token. But the context log doesn’t include the username. As long as a MFA token has been registered on one account it can be used as authentication on another. ADFS does not check that the token has been registered by the person attempting to access the account.

Two browsers can be used to gain access to two accounts. One browser is used to access an account using the correct username, password, and MFA token, and the second is used to access an account where the MFA token is not possessed. By capturing information from the first session, an attacker could use the information to access the second account. It would be possible to access any account on the network using this method, provided the username and password is known.

Two-factor authentication can prevent unauthorized accessing of account although the system is not perfect and can be bypassed, as this vulnerability shows. There have been many data breaches reported where multi-factor authentication was in place but failed to secure accounts – The recently discovered breach at Reddit being another example.

After discovering the flaw, Lee notified Microsoft and the flaw has now been patched. The update was released on Patch Tuesday on August 14.