icetray - Fotolia

Businesses urged to patch Microsoft flaw allowing MFA bypass

Security researchers are urging enterprises to update their software after the discovery of a vulnerability that could undermine the security provided by multifactor authentication

A vulnerability in Microsoft’s Active Directory Federation Services (ADFS) could allow attackers to bypass multifactor authentication (MFA) systems, researchers at identity management firm Okta have found.

The vulnerability was discovered during a routine technology assessment by Okta’s research and exploitation (REX) team, which regularly reviews the code bases of in-house and commercial software.

REX security engineer Andrew Lee found that the vulnerability could allow would-be malicious actors to bypass MFA safeguards, as long as they had full access to a user’s credentials on the same ADFS service.

According to Lee, this is similar to taking a room key for a building and turning it into a skeleton key that works on every door in the building.  

The vulnerability, he said, is due to a failure to cryptographically enforce the integrity and authenticity of relationships between the primary credentials and the second factor.

In light of the implications of the discovery, Okta notified Microsoft, which has issued a software update (patch) to remove the vulnerability.

Any organisation failing to address this vulnerability is effectively giving threat actors the ability to expand compromises significantly to move around the organisation’s network undetected and gain control of privileged accounts, the researchers warn.

They are urging organisations to apply the security update from Microsoft because just one rogue insider or an attacker who managed to compromise the credentials of a single employee could do a lot of harm. This is because they could compromise employees at all levels of an organisation to gain access to commercially sensitive information, such as financial data or company patents.

The financial impact could be disastrous to an organisation and could also have an effect on clients, customers or partners, the researchers said.

According to Lee, the weakness in the unpatched versions of the Microsoft ADFS protocol for integration with MFA products allows a second factor for one account to be used for all other accounts in an organisation.

If a single user’s password and second factor are compromised, he found that their second factor can be used in place of anyone else’s in the organisation, making it much easier for an attacker who has obtained limited access to expand their reach toward more valuable targets.

This vulnerability is best addressed within ADFS and it likely affects all MFA products for ADFS, said Lee, adding that all organisations running Microsoft ADFS are advised to patch their systems.

Read more about patching

  • Enterprises struggle with emergency patching.
  • Equifax confirms massive data breach was result of missed patch.
  • Get serious about patch validation and deployment.
  • Nine key elements to an effective patching regime.

Read more on IT risk management