Multifactor Authentication is seen as the solution to weak password-based security. Unfortunately, like any solution, it is just as prone to vulnerabilities as anything else. The recent attack against Reddit showed, again, how SMS-based two factor authentication 2FA can be defeated.
Security company Okta REX has announced a vulnerability in Microsoft’s Multi-factor authentication (MFA) solution. Once an attacker has compromised the second factor of a single employee, the whole company is there for the taking.
According to Andrew Lee, Security Engineer, Okta REX: “By exploiting a weakness in the MFA protocol for Microsoft’s authentication system, Active Directory Federated Services (ADFS), if a single user’s password and second factor are compromised, their second factor can be used in place of anyone else’s in the organization. This is similar to turning a room key into a master key for every door in the building – but in this building, each door has a second lock that accepts a passcode.“
Microsoft has already issued a patch for this after Okta contacted them. The patch was released on 14 August for CVE-2018-8340. Microsoft reports that the vulnerability affects all MFA products for Active Directory Federation Services (ADFS). It is advising administrators to patch their ADFS implementations.
How does it work?
A complete explanation of the vulnerability is given in a blog by Lee. It requires the attack to have the username and password for two individuals in an organisation. These can be acquired through a phishing attack, a keyboard logger, a trojan or any of several attacks. With MFA, these security credentials have limited value in breaching user accounts,
However, if the attacker manages to obtain the second factor for either user, it is game over. They can use that information to access any account for which they have the basic username/password security credentials.
The attack goes like this:
- Open two browsers
- Connect the target user to the AD login page
- Connect the attacker to the AD login page
- Capture the communication between the AD server and the browsers
- Combine the MFA context from the attacker with the session cookie from target
- Complete the authentication using the attackers phone
The last step means that the victim does not know that they have been compromised.
If it looks simple, that’s because it is. There is very little technical knowledge required here. Security credentials are sold on the Internet every day. It would cost an attack very little to buy a batch of credentials for a target company. Phishing tools are also cheap as we previous reported. This means that the investment in this attack is small and the rewards are high.
What does this mean
Microsoft has responded quickly to the alert from Okta. It has issued a critical patch and advised administrators to apply it. However, it is likely to take time for this to take place and, as with other attacks, it is likely that this will be quickly exploited by hackers.
The biggest concern for organisations will be the simplicity of the attack and how quickly it can be carried out.