© 2021 www.richardwalz.com
Richard Walz
All rights reserved.

ADFS – http replication can expose the token signing cert for abuse

Impact

The ADFS replication service can be abused to steal the token signing cert as the service is not encrypted and does not require authentication to access.

Solution (for single ADFS server)

Apply a firewall rule so that inbound tcp/80 traffic is denied.

New-NetFirewallRule -DisplayName "Block TCP 80 - ADFS" -Direction Inbound -Action Block -Protocol TCP -LocalPort 80 -RemoteAddress any

Solution (for multiple ADFS servers in a farm)

Apply firewall rules that restrict tcp/80 traffic between the ADFS Servers only, this will ensure ADFS replication and configuration sync still occurs and is maintained between only those necessary servers.

New-NetFirewallRule -DisplayName "Allow ADFS Servers TCP 80" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 80 -RemoteAddress 10.50.75.10,10.50.85.12,10.50.86.11

Source

https://www.fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html