Microsoft Flaw Allows Full Multi-Factor Authentication Bypass

This is similar to taking a room key for a building and turning it into a skeleton key that works on every door in the building.

A vulnerability in Microsoft’s Active Directory Federation Services (ADFS) has been uncovered that would allow malicious actors to bypass multi-factor authentication (MFA) safeguards.

Many organizations rely on ADFS to manage identities and resources across their entire enterprise, and ADFS functions as an organizational gatekeeper, using MFA to verify logins. The flaw (CVE-2018-8340), disclosed today, allows a second factor for one account to be used for all other accounts within an organization.

In other words, anyone with a legitimate user ID and password combination (credentials that can be phished by a bad actor) can use any MFA key that’s been registered on the system (typically a static option such as a second email, a smart-card PIN or a phone number, also all phish-able or accessible via social engineering or exploiting device vulnerabilities) to unlock any account on the system.

When a user attempts to go through the authentication process, the server transmits an encrypted “context” log. The file is correctly signed and encrypted, and contains the MFA token from the vendor. However, that context log doesn’t actually contain the user name, so there’s no way to check at any point that the MFA key is being used by the right person.

“Microsoft was not correctly checking that the credentials being used match the identity of the MFA – the system only sees a valid user name and password, and a valid MFA, but won’t check that both of those factors belong to the same identity,” explained Matias Brutti, Okta’s senior manager of research and exploitation, in an interview with Threatpost. “It’s a very simple mistake. But the system needs to correctly validate that the payload matches the user it’s trying to authenticate.”

The flaw’s impact could be significant. “ADFS Agents” are extensions of ADFS that enable it to interoperate with an MFA provider by delegating second-factor authentication to that provider. These include third-party vendors like Authlogics, Duo Security, Gemalto, Okta, RSA, and SecureAuth. For ADFS version 3.0, this attack affected all tested MFA solutions using Microsoft’s official integration API, according to Okta’s investigation.

“This is similar to taking a room key for a building and turning it into a skeleton key that works on every door in the building (but in this building each door requires two factors to open),” explained Okta REX security engineer Andrew Lee, who discovered the vulnerability, in a post on the issue published today.

Lee also explained that obtaining the necessary first and second factors is not a difficult undertaking for a threat actor with a moderate amount of skill. To gain first-factor credentials, normal phishing techniques are a possibility, but other possibilities include compromising a database and cracking password hashes, compromising a host with some plaintext passwords still in memory, guessing common passwords, and guessing common modifications of compromised passwords from a different environment, but for the same person.

As for the second factor, the attacker may be an insider threat, and can use his own MFA to compromise any other account. Or, he or she could social engineer the IT help desk into resetting the second factor, implant a USB keylogger or exploit Bluetooth vulnerabilities like CVE-2018-5383 to capture the key.

“Given how prevalent phishing is, the vulnerability means it’s almost like MFA isn’t even there,” Brutti told Threatpost. “I strongly support MFA – it’s the way to go to, there’s no question. But they’re not all set up the same way, and enterprises have to do due diligence and be vigilant that holes like this don’t exist.”

Microsoft has independently verified the issue and released a patch for the flaw this week.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.