CVE-2019-1126

EUVD-2019-9703

15.07.2019, 19:15

A security feature bypass vulnerability exists in Active Directory Federation Services (ADFS) which could allow an attacker to bypass the extranet lockout policy.To exploit this vulnerability, an attacker could run a specially crafted application, which would allow an attacker to launch a password brute-force attack or cause account lockouts in Active Directory.This security update corrects how ADFS handles external authentication requests., aka 'ADFS Security Feature Bypass Vulnerability'. This CVE ID is unique from CVE-2019-0975.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 83%

Affected Products (NVD)

Vendor	Product	Version
microsoft	windows_server_2016	-
microsoft	windows_server_2019	-

𝑥

= Vulnerable software versions

Windows Releases

Platform

Version

Windows Server

1803 Server Core	KB4507435
1903 Server Core	KB4507453

Windows Server 2012 R2

Server Core	KB4507457
Standard	KB4507457

Windows Server 2016

Server Core	KB4507460
Standard	KB4507460

Windows Server 2019

Server Core	KB4507469
Standard	KB4507469

Common Weakness Enumeration

CWE-307 - Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1126