Story image

Exclusive interview: Major MFA vulnerability discovered in Microsoft’s ADFS

15 Aug 18

Okta Research and Exploitation (REX) security engineer Andrew Lee has discovered a vulnerability in Microsoft’s Active Directory Federation Services (ADFS) that allows would-be malicious actors to bypass multi-factor authentication (MFA) safeguards, as long as they had full access to another user’s credentials on the same ADFS service.

This is similar to taking a room key for a building and turning it into a skeleton key that works on every door in the building (but in this building each door requires two factors to open).

With the understanding of how most credential phishing attacks work nowadays, this exploit gives an actor an incredible advantage to expand compromises significantly.

Corporations rely on MFA to limit credential attacks, which might lead them to be susceptible to back-of-mind threats such as insider intrusions.

In other words, if just one employee in a massive, global company wanted to – or if a bad actor compromised the account of one employee – they could do a lot of harm by compromising unsuspecting colleagues, senior executives, or even the CEO.

In the discovery of this vulnerability, REX adhered to Okta’s responsible disclosure process to identify the vulnerability and report it to Microsoft.

A fix has been released, but because ADFS is an on-premises solution, customers and IT administrators are strongly encouraged to stay on their toes and patch their systems to ensure the security of their organizations.

SecurityBrief spoke to Okta REX director Mattias Brutti about the vulnerability discovered.

How can the affected parties mitigate the risk this vulnerability presents?

This is a vulnerability on the ADFS service so the only thing people can truly do is apply the patch.

Microsoft has listened to our recommendations and they should be releasing the patch which should solve the vulnerability. 

This is not a vulnerability on Microsoft MFA, this affects every single third-party vendor - including Okta - that provide an agent for ADFS to MFA.

Every single vendor that connects to it, as far as we know, is susceptible to this vulnerability. 

A lot of people rely on Active Directory to integrate between on-premise software and the cloud, you have to use ADFS to build the systems that integrate with other providers such as Okta.  

What communication has Okta had with Microsoft? 

They’ve provided a patch date of August 14 and they also provided us with a CVE (common vulnerabilities and exposures) for it accepting that the vulnerability exists.

This gives us a unique ID for that vulnerability that we can publish and reference.

How does this affect the security of MFA?

MFA has provided us with a unique identifier for each user in order to prevent people from getting phished. 

No matter how good you are with your credentials and how good your security is, people are going to get phished.

Somebody is going to steal your credentials, or even worse.

One of the common techniques that penetration testers (pentesters) use is compromising service accounts during pentests, because the service accounts are real accounts without MFA set up, is take the credentials from the service account, set up an MFA, and then they don’t even need to compromise anyone because after setting up that MFA, they have the MFA for everybody else. 

It lowers the complexity for the attack - you now only need one MFA.

Do you see the industry moving away from MFA after the recent spate of MFA compromises? 

No, this is just a simple mistake.

MFA is something that actually works, it’s great and people should use it all the time, regardless of this vulnerability.

People sometimes take MFA as a silver bullet - it is not a silver bullet.

Like everything else in the industry, it’s prone to vulnerabilities, and the whole point here is that people should patch them and continue to rely on them. 

Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Chch crypto-exchange Cryptopia suffers breach
Cryptopia has reportedly experienced a security breach that has taken the entire platform offline – and resulted in ‘significant losses’.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.
Carbon Black: What does cybersecurity have in store for 2019?
Tom Kellerman has shared five insights for the year ahead, including a particularly bold one.
Hands-on review: The Ekster Wallet protects your cards against RFID attacks
For some time now, I’ve been protecting my credit cards with tinfoil. The tinfoil hat does attract a lot of comments, but thanks to Ekster, those days are now happily behind me.
Report on SingHealth breach condemns poor security practices
The 2018 Singapore SingHealth data breach was poorly managed and riddled with vulnerabilities from the start.
Tesla wants people to hack its Model 3
Tesla is offering white hat hackers what could be the chance of a lifetime – the opportunity to hack one of its Model 3 vehicles.