ADFS – http replication can expose the token signing cert for abuse

By Richard May 11, 2021 1 Min Read

Last Updated: May 11, 2021

Impact

The ADFS replication service can be abused to steal the token signing cert as the service is not encrypted and does not require authentication to access.

Solution (for single ADFS server)

Apply a firewall rule so that inbound tcp/80 traffic is denied.

New-NetFirewallRule -DisplayName "Block TCP 80 - ADFS" -Direction Inbound -Action Block -Protocol TCP -LocalPort 80 -RemoteAddress any

Solution (for multiple ADFS servers in a farm)

Apply firewall rules that restrict tcp/80 traffic between the ADFS Servers only, this will ensure ADFS replication and configuration sync still occurs and is maintained between only those necessary servers.

New-NetFirewallRule -DisplayName "Allow ADFS Servers TCP 80" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 80 -RemoteAddress 10.50.75.10,10.50.85.12,10.50.86.11

Source

https://www.fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html

ADFS – http replication can expose the token signing cert for abuse

Impact

Solution (for single ADFS server)

Solution (for multiple ADFS servers in a farm)

Source

How to Install Microsoft Defender for Endpoint on Ubuntu Linux

How to configure, manage and enable IE Mode for MS Edge. The missing guide.

Why authenticated vulnerability scans are important and when to use non-authenticated scans.

A Good Security Operations Center (SOC) should be enriching raw security telemetry and not just alerts.