Security update for the ADAL .NET library

Summary
An elevation of privilege vulnerability exists in the Active Directory Authentication Library for .NET (ADAL .NET) in specific problem scenarios.

An attacker who successfully exploits this vulnerability could receive a token granting higher privilege than should be granted for an application.

This issue occurs in scenarios that include the On Behalf Of protocol flow and specific use cases of ClientAssertion/ClientAssertionCertificate/ClientCredential and UserAssertion being passed to the AcquireToken* API.

Frequently asked questions about this vulnerability

Q1: What is Active Directory Authentication Library for .NET?

A1: The Active Directory Authentication Library (ADAL) for .NET provides easy to use authentication functionality for .NET clients and Windows Store applications.

Q2: Which versions of Active Directory Authentication Library for .NET (ADAL .NET) are affected?

A2: There are two issues that have different behavior that occur in different ADAL versions. These versions are as follows:

  • ADAL versions 2.0.x to 2.21.x inclusive and ADAL versions 3.0.x to 3.5.x inclusive.
  • ADAL versions 2.25.x to 2.27.x inclusive and ADAL versions 3.10.x to 3.11.x inclusive.

Q3: I use Azure Active Directory. Am I affected?

A3: This vulnerability affects only applications that use specific versions of the ADAL .NET under specific conditions. This issue does not affect the Azure Active Directory service or Microsoft or Azure infrastructure.

Update information

Developers who use ADAL .NET must download the latest version of ADAL .NET and then update their applications. The technical details are published in our GitHub repository.

Status
Microsoft has confirmed that this is a problem in the ADAL .NET library.
References
Learn about the terminology that Microsoft uses to describe software updates.
Thuộc tính

ID Bài viết: 3190237 - Xem lại Lần cuối: 09/07/2016 16:54:00 - Bản sửa đổi: 3.0

Microsoft Azure Active Directory

  • kbsecvulnerability kbsecurity kbsecbulletin kbfix kbexpertiseinter kbbug atdownload KB3190237
Phản hồi