Important Update for ADFS 3.0

adfshotfix

A backdoor was found when a browser session wasn’t closed, even if we have logged out from the Federated Service, so Microsoft released a secuity update for Our Windows 2012 R2 (MS15-040). Also for a Core installation, as this hits the ADFS Service.

It could make it possible for information disclosure, by reopening the Federated Service and Access as the previous user using the computer. 

An information disclosure vulnerability exists when Active Directory Federation Services (AD FS) fails to properly log off a user. The vulnerability could allow unintentional information disclosure. An attacker who successfully exploited this vulnerability could gain access to a user’s information by reopening an application from which the user has logged off. Since the logoff actually fails an attacker is not prompted to enter a username or password. An attacker could then use this vulnerability to discover information to which an AD FS user has Access.

Leave a Comment