Security Vulnerability in AD FS 3.0

Security Vulnerability in AD FS 3.0

Security Vulnerability in AD FS 3.0

April 2015, Microsoft has released an important security update for ADFS 3.0 in Security Bulletin which prevent you from security breach reported in ADFS 3.0. Security Vulnerability in AD FS 3.0 was found which helped hackers / intruders to gain access of your application using the existing token.

According to the Microsoft Security Bulletin MS15-040 the vulnerability allows an attacker to gain access to your application using ADFS 3.0 SSO like Office 365. The flaw is with the logoff process of ADFS 3.0 which didn’t could allow intruder to reuse the existing token to access the application. The log off failed allowing an intruder to reuse the existing token to access the application as the user.

This security update resolves a vulnerability in Active Directory Federation Services (AD FS). The vulnerability could allow information disclosure if a user leaves their browser open after logging off from an application and an attacker reopens the application in the browser immediately after the user has logged off.

The Security bulletin claims that Microsoft has no knowledge of any cases where this vulnerability was exploited and i hope no one is impacted or could be impacted and everyone can patch their ADFS servers as i did my servers before writing up this article 🙂

Detail information on security bulletin can be found on Technet.  Be safe 🙂