Microsoft has patched a vulnerability in its Active Directory Federation Services (ADFS) which could let an attacker use credentials for an account to access another account managed by that service, even if multi-factor authentication was enabled. Enterprise IT teams should apply the patch, but this vulnerability should not be used to question the efficacy of multi-factor authentication.
Multi-factor authentication remains a powerful tool in an organization’s authentication arsenal, and this vulnerability should not deter organizations from rolling out multi-factor authentication schemes to protect users.
Enterprises rely on ADFS to manage identities and resources, and many extend the service with ADFS Agents to integrate with a multi-factor authentication product. The flaw (CVE-2018-8340) lets an attacker access an account being managed by ADFS with the username, password, and the second factor of another account on the same service. An attacker needs control of an account and the account’s second factor in order to bypass the targeted account’s multi-factor authentication defenses.
“This is similar to taking a room key into a master key for every door in the building—but in this building, each door has a second lock that accepts a passcode,” Andrew Lee, the security engineer for Okta Research and Exploitation team who discovered the bug, wrote on the Okta advisory.
The timing of the attack is important, as the attacker has to log into both accounts at the same time to get the multi-factor authentication challenge prompt for both accounts. At this point, the attacker uses the secondary account’s second factor, such as a one-time password sent over SMS or via a mobile app, a swipe on a physical key, or some other mechanism to respond to the targeted account’s challenge.
"You basically move MFA out of the equation because you can use your own," wrote Matias Brutti, Okta REX’s director of research.
The issue is in ADFS, and not in the multi-factor authentication product that integrates with ADFS over the integration API, so any organization using ADFS to manage identities may be affected. There isn’t much the multi-factor authentication provider—whether that’s Microsoft or a third-party platform such as Okta, Duo Security, and SecureAuth—can do to mitigate the issue until the vulnerability gets patched by the organization’s IT team.
In this case, ADFS generates an encrypted log with the correct MFA token but the context log doesn’t contain the username associated with the token. There’s no way for the service to check that the key is being used by the correct person.
The weakness is the result of a “failure to cryptographically enforce the integrity and authenticity of relationships between the two pieces of identity—the primary credentials and the second factor,” Lee wrote.
This particular attack scenario can be fairly easy to carry out if the attacker has a cooperating insider to share the login credentials and second factor details. If the owner of the secondary account had never enabled multi-factor authentication, then the attacker just needs to enroll a second factor under his or her control to turn on the protection. And there are ways to steal the second-factor from unsuspecting users, such as using phishing to trick users into handing over the multi-factor authentication details.
“Simply put, if just one employee in a global company wanted to—or if a bad actor compromised the account of one employee—they could do a lot of harm by compromising unsuspecting colleagues, senior executives, or even the CEO with this vulnerability,” Brutti wrote.
The millions of records stolen across data breaches over the years means getting the username and password for the targeted account may not be all that hard—but obtaining that second factor is still the part that slows down the attacker.
Multi-factor authentication is not broken, and it remains one of the best security defenses in the organization’s authentication arsenal. However, it isn’t a silver bullet, and this flaw clearly illustrates what happens when the weakness is in the managing service itself. The relative advantages of one method over another is moot in this scenario.
The challenge is not to try to find the perfect MFA method, but rather to teach employees on how to protect their second factor, create stronger passwords, and be alert to potential phishing and social engineering attepmts..
“MFA is just like any other technology,” Brutti said, noting that it is “susceptible to the same type of vulnerability any other technology is.”