HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Microsoft ADFS Vulnerability Allows Bypassing of Multi-Factor Authentication

A vulnerability has been discovered in Microsoft’s Active Directory Federation Services (ADFS) that allows multi-factor authentication (MFA) to be bypassed with ease. The flaw is being tracked as CVE-2018-8340 and was discovered by Andrew Lee, a security researcher at Okta.

ADFS is used by many organizations to help secure accounts and ADFA is used by vendors such as SecureAuth, Okta, and RSA to add multi-factor authentication to their security offerings.

To exploit the vulnerability an attacker would need to obtain the login credentials of an employee and have a valid second factor authentication token. That token could then be used as authentication to access any other person’s account if their username and password is known.

A threat actor could easily obtain a username and a password by conducting a phishing campaign. The number of phishing attacks on healthcare organizations that have been reported recently show just how easy it is to fool employees into disclosing their login credentials. A brute force attempt on an account with a weak password would also work.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Obtaining the second factor token is a little more difficult. The second factor is often a mobile phone number or email address or a smart card PIN number. That information could also potentially be obtained through phishing or through a successful attempt to get the IT help desk to reset a user’s MFA token.

The vulnerability would be easy to exploit by an insider, since that person would already have a valid MFA token registered on the system. All that would be required to access the account of another employee would be their username and password.

The vulnerability is due to the way ADFS communicates during a login. When an attempt is made to login, the server sends an encrypted context log which contains the MFA token. However, the context log does not include the username, so no check is performed to ensure the MFA token is being used by the correct individual. If an attacker used a browser to gain access to an account using a known username/password and MFA token, and a second browser with just a username and password but no MFA token, a single MFA token could be used to gain access to both accounts.

Two-factor authentication is an important security control that can prevent unauthorized account access even if a threat actor has successfully obtained login credentials, although this vulnerability shows that the system is not infallible.

The flaw has now been fixed in Microsoft’s Patch Tuesday updates on August 14. Healthcare organizations should ensure that the patch is applied promptly to ensure their MFA controls cannot be easily bypassed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.