| CVE Number | Vulnerability | Product | Severity | Date |
|---|---|---|---|---|
| MS17-019 | Security Update for Active Directory Federation Services (4010320) | Windows Server | Important | 15-03-2017 |
Technical Information
Brief overview of the risk:
This security update resolves a vulnerability in Active Directory Federation Services (ADFS). The vulnerability could allow information disclosure if an attacker sends a specially crafted request to an ADFS server, allowing the attacker to read sensitive information about the target system.
Detailed Information on the risk:
An information disclosure vulnerability exists when Windows Active Directory Federation Services (ADFS) honors XML External Entities. An authenticated attacker who successfully exploited this vulnerability would be able to read sensitive information about the target system.
To exploit this condition, an authenticated attacker would need to send a specially crafted request to the ADFS service. Note that the information disclosure vulnerability by itself would not be sufficient for an attacker to compromise a system. However, an attacker could combine this vulnerability with additional vulnerabilities to further exploit the system. The update addresses the vulnerability by causing ADFS to ignore these malicious entities.
Windows Server 2008 for 32-bit Systems Service Pack 2To exploit this condition, an authenticated attacker would need to send a specially crafted request to the ADFS service. Note that the information disclosure vulnerability by itself would not be sufficient for an attacker to compromise a system. However, an attacker could combine this vulnerability with additional vulnerabilities to further exploit the system. The update addresses the vulnerability by causing ADFS to ignore these malicious entities.
Further information on this exploit is available at : MS17-019
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2012 and Windows Server 2012 R2
Windows Server 2012 R2
Affected Software
Windows Server 2008 for 32-bit Systems Service Pack 2Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2012 and Windows Server 2012 R2
Windows Server 2012 R2