Story image

Exclusive interview: Major MFA vulnerability discovered in Microsoft’s ADFS

15 Aug 18

Okta Research and Exploitation (REX) security engineer Andrew Lee has discovered a vulnerability in Microsoft’s Active Directory Federation Services (ADFS) that allows would-be malicious actors to bypass multi-factor authentication (MFA) safeguards, as long as they had full access to another user’s credentials on the same ADFS service.

This is similar to taking a room key for a building and turning it into a skeleton key that works on every door in the building (but in this building each door requires two factors to open).

With the understanding of how most credential phishing attacks work nowadays, this exploit gives an actor an incredible advantage to expand compromises significantly.

Corporations rely on MFA to limit credential attacks, which might lead them to be susceptible to back-of-mind threats such as insider intrusions.

In other words, if just one employee in a massive, global company wanted to – or if a bad actor compromised the account of one employee – they could do a lot of harm by compromising unsuspecting colleagues, senior executives, or even the CEO.

In the discovery of this vulnerability, REX adhered to Okta’s responsible disclosure process to identify the vulnerability and report it to Microsoft.

A fix has been released, but because ADFS is an on-premises solution, customers and IT administrators are strongly encouraged to stay on their toes and patch their systems to ensure the security of their organizations.

SecurityBrief spoke to Okta REX director Mattias Brutti about the vulnerability discovered.

How can the affected parties mitigate the risk this vulnerability presents?

This is a vulnerability on the ADFS service so the only thing people can truly do is apply the patch.

Microsoft has listened to our recommendations and they should be releasing the patch which should solve the vulnerability. 

This is not a vulnerability on Microsoft MFA, this affects every single third-party vendor - including Okta - that provide an agent for ADFS to MFA.

Every single vendor that connects to it, as far as we know, is susceptible to this vulnerability. 

A lot of people rely on Active Directory to integrate between on-premise software and the cloud, you have to use ADFS to build the systems that integrate with other providers such as Okta.  

What communication has Okta had with Microsoft? 

They’ve provided a patch date of August 14 and they also provided us with a CVE (common vulnerabilities and exposures) for it accepting that the vulnerability exists.

This gives us a unique ID for that vulnerability that we can publish and reference.

How does this affect the security of MFA?

MFA has provided us with a unique identifier for each user in order to prevent people from getting phished. 

No matter how good you are with your credentials and how good your security is, people are going to get phished.

Somebody is going to steal your credentials, or even worse.

One of the common techniques that penetration testers (pentesters) use is compromising service accounts during pentests, because the service accounts are real accounts without MFA set up, is take the credentials from the service account, set up an MFA, and then they don’t even need to compromise anyone because after setting up that MFA, they have the MFA for everybody else. 

It lowers the complexity for the attack - you now only need one MFA.

Do you see the industry moving away from MFA after the recent spate of MFA compromises? 

No, this is just a simple mistake.

MFA is something that actually works, it’s great and people should use it all the time, regardless of this vulnerability.

People sometimes take MFA as a silver bullet - it is not a silver bullet.

Like everything else in the industry, it’s prone to vulnerabilities, and the whole point here is that people should patch them and continue to rely on them.