CVE-2020-0837: ADFS MFA Elevation of Privilege Vulnerability

Overview

Severity

Medium (CVSS 5)

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Sep

Released

2020-09-08

Last Updated

2020-09-29

EPSS Score

1.44% (percentile: 80.7%)

Description

An elevation of privilege vulnerability exists when Active Directory Federation Services (ADFS) improperly handles multi-factor authentication requests. An attacker who successfully exploited this vulnerability could bypass some, but not all, of the authentication factors. To exploit this vulnerability, an attacker could send a specially crafted authentication request. This security update corrects how ADFS handles multi-factor authentication requests.

Affected Products (21)

Other

• 11568
• 11569
• 11570
• 11571
• 11572
• 11712
• 11713
• 11714
• 11715
• 11644
• 11645
• 11646
• 11647
• 11766
• 11767
• 11768
• 11769
• 10852
• 10853
• 10816
• 10855

Security Updates (4)

• 4570333
• 4574727
• 4571756
• 4577015

Acknowledgments

Christopher Currens

Revision History

• 2020-09-08: Information published.
• 2020-09-29: Corrected the CVE title and description to address the vulnerability as elevation of privilege. In the Affected Products table, corrected the Impact to Elevation of Privilege. This is an informational change only.