Serious ADFS Bug Discovered

First reported on August 14, a security flaw in Active Directory Federation Services (ADFS) that could allow attackers to bypass multi-factor authentication MFA services, has been addressed by Microsoft. ADFS is often used by Office 365 customers to pass authentication requests to on-premises Active Directory.

The flaw was discovered by the Research and Exploitation (REX) team at Okta, the security identity management company, who reported it in a blog post entitled “The Inside Job: When Microsoft MFA Fails.” The problem is summarized in their statement:

“The vulnerability allowed potentially malicious actors to bypass Multi-Factor Authentication (MFA) safeguards, as long as they had full access to another user’s credentials on the same ADFS service. This is similar to taking a room key for a building and turning it into a skeleton key that works on every door in the building.”

Download and Install the ADFS Patch

The patch (CVE-2018-8340) is available online. According to Samuel Devasahyam (aka Mr. ADFS) of Microsoft, customers who use ADFS should “install the patches now.” Obviously, given that any bug affecting authentication is a bad thing, Samuel’s advice is well founded.

For more information about using ADFS with Office 365, see Chapter 3 of Office 365 for IT Pros.