MS13-066 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (Important)

Reading Time: 2 minutes

On Tuesday, August 13, 2013 Microsoft, in its monthly Patch Tuesday, released MS13-066, a Security Bulletin addressing an issue with Active Directory Federation Services.

This security update resolves a privately reported vulnerability in Active Directory Federation Services (AD FS). reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured. This would result in denial of service for all applications relying on the AD FS instance. This issue was privately reported to Microsoft and documented as CVE-2013-3185.

This security update is rated as important.

 

Affected Operating Systems

This security update is rated Important for Active Directory Federation Services 2.0 and Active Directory Federation Services 2.1 on the following, currently supported, Windows Server Operating Systems:

  • Windows Server 2008 x86 with Service Pack 2
  • Windows Server 2008 x64 with Service Pack 2
  • Windows Server 2008 R2 x64 with Service Pack 1
  • Windows Server 2012 x64

This security update does not apply to Active Directory Federation Services 1.x installations. Also, interestingly, this security update does not seem to apply to Active Directory Federation Services on Server Core installations of Windows Server 2012.

About Active Directory Federation Services

Active Directory Federation Services (AD FS) can be used to provide SAML-based connections that allow for secure sharing of identity information between trusted business partners (known as a federation) across an extranet. Active Directory Federation Services help avoid Active Directory trusts, the need to sync passwords, adjust naming conventions or expose further information about the environments.

Active Directory Federation Services (AD FS) are used intensively when you configure Single Sign-On as part of hybrid cloud implementations and when you configure Single Sign-On with cloud-based services like Salesforce.

 

Guidance

Microsoft has released a patch for this security update during Patch Tuesday, labeled KB2790338. On August 19, 2013, Microsoft has released a new patch, labeled KB2843638, due to issues with the original patch on Windows Server 2008 and Windows Server 2008 R2 when Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0 (KB2790338) was not installed.

These issues included:

  • Federated sign-in fails for clients
  • Event ID 111 in the AD FS 2.0/Admin event log

You are urged to test and implement the updated patch corresponding to the Security Bulletin on the affected Operating Systems running the aforementioned Active Directory Federation services.

Related Blog Posts

Active Directory Services on Server Core installations
Statistics on Active Directory-related Security Bulletins

Related KnowledgeBase Articles

2843638 MS13-066: Description of the security update for Active Directory Federation Services 2.0: August 13, 2013
2790338 Description of Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0

Further reading

Important Announcement: AD FS 2.0 and MS13-066
Important Announcement: AD FS 2.0 and MS13-066
Microsoft Relaunches Botched MS13-066 Windows Patch
Microsoft re-releases MS13-066
Microsoft Security Bulletin MS13-066 – Important
Another Botched Patch Tuesday Sends Microsoft Customers Reeling
Microsoft Releases Fix for 2843638 AD Federation Services
New package coming for MS13-066
Microsoft Security Bulletin Re-Releases Issued: August 19, 2013
Keep Calm and Patch On This Patch Tuesday

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.