Easy rundown for ’Your 2FA is mine also’ | CVE-2018-8340 | AD FS Security Feature Bypass Vulnerability

Here is a short rundown of the vulnerability described by MSRC as discovered and described in this detailed Blog by OKTA researcher Andrew Lee.

The rundown

• The vulnerability described allows for strong authentication sequence of a single user to be leveraged for any other users second factor in the same organization – In essence AD FS has* vulnerability discerning single users 2FA for any other users 2FA in the same org.
  • In order to completely leverage this vulnerability, the attacker has to be in possession of the targeted users first factor also (assumed password in most cases)
• The vulnerability was not publicly disclosed, it was discovered by OKTA researcher /see OKTA write-up also
  • No records exist for recorded exploitation in wild as zero-day vulnerability… But Microsoft rates the likeness of exploitation as second highest, in scale of 0-3 (0 being most likely)

    

* Unless patched

The mitigation

Initiate update on AD FS server(or servers)

• if you’re not on automatic updates, then use MSRC table to see which update levels are affected: