Story image

Exclusive interview: Major MFA vulnerability discovered in Microsoft’s ADFS

15 Aug 18

Okta Research and Exploitation (REX) security engineer Andrew Lee has discovered a vulnerability in Microsoft’s Active Directory Federation Services (ADFS) that allows would-be malicious actors to bypass multi-factor authentication (MFA) safeguards, as long as they had full access to another user’s credentials on the same ADFS service.

This is similar to taking a room key for a building and turning it into a skeleton key that works on every door in the building (but in this building each door requires two factors to open).

With the understanding of how most credential phishing attacks work nowadays, this exploit gives an actor an incredible advantage to expand compromises significantly.

Corporations rely on MFA to limit credential attacks, which might lead them to be susceptible to back-of-mind threats such as insider intrusions.

In other words, if just one employee in a massive, global company wanted to – or if a bad actor compromised the account of one employee – they could do a lot of harm by compromising unsuspecting colleagues, senior executives, or even the CEO.

In the discovery of this vulnerability, REX adhered to Okta’s responsible disclosure process to identify the vulnerability and report it to Microsoft.

A fix has been released, but because ADFS is an on-premises solution, customers and IT administrators are strongly encouraged to stay on their toes and patch their systems to ensure the security of their organizations.

SecurityBrief spoke to Okta REX director Mattias Brutti about the vulnerability discovered.

How can the affected parties mitigate the risk this vulnerability presents?

This is a vulnerability on the ADFS service so the only thing people can truly do is apply the patch.

Microsoft has listened to our recommendations and they should be releasing the patch which should solve the vulnerability. 

This is not a vulnerability on Microsoft MFA, this affects every single third-party vendor - including Okta - that provide an agent for ADFS to MFA.

Every single vendor that connects to it, as far as we know, is susceptible to this vulnerability. 

A lot of people rely on Active Directory to integrate between on-premise software and the cloud, you have to use ADFS to build the systems that integrate with other providers such as Okta.  

What communication has Okta had with Microsoft? 

They’ve provided a patch date of August 14 and they also provided us with a CVE (common vulnerabilities and exposures) for it accepting that the vulnerability exists.

This gives us a unique ID for that vulnerability that we can publish and reference.

How does this affect the security of MFA?

MFA has provided us with a unique identifier for each user in order to prevent people from getting phished. 

No matter how good you are with your credentials and how good your security is, people are going to get phished.

Somebody is going to steal your credentials, or even worse.

One of the common techniques that penetration testers (pentesters) use is compromising service accounts during pentests, because the service accounts are real accounts without MFA set up, is take the credentials from the service account, set up an MFA, and then they don’t even need to compromise anyone because after setting up that MFA, they have the MFA for everybody else. 

It lowers the complexity for the attack - you now only need one MFA.

Do you see the industry moving away from MFA after the recent spate of MFA compromises? 

No, this is just a simple mistake.

MFA is something that actually works, it’s great and people should use it all the time, regardless of this vulnerability.

People sometimes take MFA as a silver bullet - it is not a silver bullet.

Like everything else in the industry, it’s prone to vulnerabilities, and the whole point here is that people should patch them and continue to rely on them. 

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.