A security feature bypass vulnerability exists in Active Directory Federation Services (ADFS) which could allow an attacker to bypass the e…
A security feature bypass vulnerability exists in Active Directory Federation Services (ADFS) which could allow an attacker to bypass the extranet lockout policy.To exploit this vulnerability, an attacker could run a specially crafted application, which would allow an attacker to launch a password brute-force attack or cause account lockouts in Active Directory.This security update corrects how ADFS handles external authentication requests., aka 'ADFS Security Feature Bypass Vulnerability'. This CVE ID is unique from CVE-2019-0975.
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
https://cwe.mitre.org/data/definitions/307.html →Open in CWE collection →https://capec.mitre.org/data/definitions/16.html →Open in CAPEC collection →
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
https://capec.mitre.org/data/definitions/49.html →Open in CAPEC collection →https://capec.mitre.org/data/definitions/560.html →Open in CAPEC collection →
https://capec.mitre.org/data/definitions/565.html →Open in CAPEC collection →
https://capec.mitre.org/data/definitions/600.html →Open in CAPEC collection →
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
https://capec.mitre.org/data/definitions/652.html →Open in CAPEC collection →An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.
https://capec.mitre.org/data/definitions/653.html →Open in CAPEC collection →| Product | Vendor | Status |
|---|---|---|
| windows_server_2012 | * | Tracked |
| windows_server_2016 | * | Tracked |
| windows_server_2019 | * | Tracked |
| Windows | Microsoft | Tracked |
| Windows | Microsoft | Tracked |
| Windows | Microsoft | Tracked |
| Windows | Microsoft | Tracked |
| Windows | Microsoft | Tracked |
| Windows | Microsoft | Tracked |
| Windows | Microsoft | Tracked |