New Vulnerability Found in Microsoft ADFS Allows for MFA Bypass

by Will Fulmer, Chief Operating Officer

Microsoft has released a fix for a newly identified flaw in Microsoft Active Directory Federation Services (ADFS). Andrew Lee, a security engineer for Okta Research and Exploitation (REX) discovered the bug, which exposes a potential massive vulnerability within ADFS.

Many organizations use ADFS for identity management and authentication to company resources. Many two-factor authentication mechanisms bolt onto ADFS including Microsoft’s MFA product, along with third party solutions such as Okta, Gemalto, RSA, and SecureAuth. All of these 2FA products are subject to this vulnerability.

This newly discovered exploit would allow for the bypassing of the multifactor authentication prompt, providing the offender has a username and password pair for another user on the same ADFS service. Essentially, this bypass acts as a ‘skeleton key’, allowing for unauthorized and insecure access to resources.

This attack has not yet been seen in the wild, but Microsoft has issued a software update/patch to remove this vulnerability and mitigate this exposure. More information can be found on this link: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8340