CVE-2019-1006

Description

An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys, aka 'WCF/WIF SAML Token Authentication Bypass Vulnerability'.

Affected products

• Microsoft / Microsoft.IdentityModel7.0.0 – 7.0.0
• Microsoft / Microsoft .NET Framework 2.0Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 – Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2
• Microsoft / Microsoft .NET Framework 2.0Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 – Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2
• Microsoft / Microsoft .NET Framework 2.0Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2 – Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2
• Microsoft / Microsoft .NET Framework 3.0Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 – Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2
• Microsoft / Microsoft .NET Framework 3.0Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2 – Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2
• Microsoft / Microsoft .NET Framework 3.0Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 – Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2
• Microsoft / Microsoft .NET Framework 3.5Windows 10 Version 1803 for 32-bit Systems – Windows 10 Version 1803 for 32-bit Systems
• Microsoft / Microsoft .NET Framework 3.5Windows Server, version 1803 (Server Core Installation) – Windows Server, version 1803 (Server Core Installation)
• Microsoft / Microsoft .NET Framework 3.5Windows 10 Version 1803 for x64-based Systems – Windows 10 Version 1803 for x64-based Systems
• Microsoft / Microsoft .NET Framework 3.5Windows 10 Version 1709 for x64-based Systems – Windows 10 Version 1709 for x64-based Systems
• Microsoft / Microsoft .NET Framework 3.5Windows 10 Version 1709 for 32-bit Systems – Windows 10 Version 1709 for 32-bit Systems
• Microsoft / Microsoft .NET Framework 3.5Windows 10 Version 1703 for x64-based Systems – Windows 10 Version 1703 for x64-based Systems
• Microsoft / Microsoft .NET Framework 3.5Windows 10 Version 1703 for 32-bit Systems – Windows 10 Version 1703 for 32-bit Systems
• Microsoft / Microsoft .NET Framework 3.5Windows Server 2016 (Server Core installation) – Windows Server 2016 (Server Core installation)
• Microsoft / Microsoft .NET Framework 3.5Windows 10 Version 1607 for x64-based Systems – Windows 10 Version 1607 for x64-based Systems
• Microsoft / Microsoft .NET Framework 3.5Windows 10 Version 1607 for 32-bit Systems – Windows 10 Version 1607 for 32-bit Systems
• Microsoft / Microsoft .NET Framework 3.5Windows Server 2016 – Windows Server 2016
• Microsoft / Microsoft .NET Framework 3.5Windows 10 for x64-based Systems – Windows 10 for x64-based Systems
• Microsoft / Microsoft .NET Framework 3.5Windows 10 for 32-bit Systems – Windows 10 for 32-bit Systems
• Microsoft / Microsoft .NET Framework 3.5Windows Server 2012 R2 (Server Core installation) – Windows Server 2012 R2 (Server Core installation)
• Microsoft / Microsoft .NET Framework 3.5Windows Server 2012 R2 – Windows Server 2012 R2
• Microsoft / Microsoft .NET Framework 3.5Windows 8.1 for x64-based systems – Windows 8.1 for x64-based systems
• Microsoft / Microsoft .NET Framework 3.5Windows 8.1 for 32-bit systems – Windows 8.1 for 32-bit systems
• Microsoft / Microsoft .NET Framework 3.5Windows Server 2012 (Server Core installation) – Windows Server 2012 (Server Core installation)
• Microsoft / Microsoft .NET Framework 3.5Windows Server 2012 – Windows Server 2012
• Microsoft / Microsoft .NET Framework 3.5.1Windows 7 for 32-bit Systems Service Pack 1 – Windows 7 for 32-bit Systems Service Pack 1
• Microsoft / Microsoft .NET Framework 3.5.1Windows 7 for x64-based Systems Service Pack 1 – Windows 7 for x64-based Systems Service Pack 1
• Microsoft / Microsoft .NET Framework 3.5.1Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 – Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
• Microsoft / Microsoft .NET Framework 3.5.1Windows Server 2008 R2 for x64-based Systems Service Pack 1 – Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Microsoft / Microsoft .NET Framework 3.5.1Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) – Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Microsoft / Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systemsunspecified – unspecified
• Microsoft / Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systemsunspecified – unspecified
• Microsoft / Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019unspecified – unspecified
• Microsoft / Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation)unspecified – unspecified
• Microsoft / Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systemsunspecified – unspecified
• Microsoft / Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systemsunspecified – unspecified
• Microsoft / Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1903 for 32-bit Systemsunspecified – unspecified
• Microsoft / Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1903 for x64-based Systemsunspecified – unspecified
• Microsoft / Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019unspecified – unspecified
• Microsoft / Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation)unspecified – unspecified
• Microsoft / Microsoft .NET Framework 3.5 AND 4.8 on Windows Server, version 1903 (Server Core installation)1903 – 1903
• Microsoft / Microsoft .NET Framework 4.5.2Windows 7 for x64-based Systems Service Pack 1 – Windows 7 for x64-based Systems Service Pack 1
• Microsoft / Microsoft .NET Framework 4.5.2Windows 7 for 32-bit Systems Service Pack 1 – Windows 7 for 32-bit Systems Service Pack 1
• Microsoft / Microsoft .NET Framework 4.5.2Windows RT 8.1 – Windows RT 8.1
• Microsoft / Microsoft .NET Framework 4.5.2Windows Server 2012 R2 (Server Core installation) – Windows Server 2012 R2 (Server Core installation)
• Microsoft / Microsoft .NET Framework 4.5.2Windows Server 2008 for 32-bit Systems Service Pack 2 – Windows Server 2008 for 32-bit Systems Service Pack 2
• Microsoft / Microsoft .NET Framework 4.5.2Windows Server 2008 for x64-based Systems Service Pack 2 – Windows Server 2008 for x64-based Systems Service Pack 2
• Microsoft / Microsoft .NET Framework 4.5.2Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) – Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Microsoft / Microsoft .NET Framework 4.5.2Windows Server 2008 R2 for x64-based Systems Service Pack 1 – Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Microsoft / Microsoft .NET Framework 4.5.2Windows Server 2012 – Windows Server 2012
• Microsoft / Microsoft .NET Framework 4.5.2Windows Server 2012 (Server Core installation) – Windows Server 2012 (Server Core installation)
• Microsoft / Microsoft .NET Framework 4.5.2Windows 8.1 for 32-bit systems – Windows 8.1 for 32-bit systems
• Microsoft / Microsoft .NET Framework 4.5.2Windows 8.1 for x64-based systems – Windows 8.1 for x64-based systems
• Microsoft / Microsoft .NET Framework 4.5.2Windows Server 2012 R2 – Windows Server 2012 R2
• Microsoft / Microsoft .NET Framework 4.6Windows Server 2008 for x64-based Systems Service Pack 2 – Windows Server 2008 for x64-based Systems Service Pack 2
• Microsoft / Microsoft .NET Framework 4.6Windows Server 2008 for 32-bit Systems Service Pack 2 – Windows Server 2008 for 32-bit Systems Service Pack 2
• Microsoft / Microsoft .NET Framework 4.6/4.6.1/4.6.2Windows 10 for x64-based Systems – Windows 10 for x64-based Systems
• Microsoft / Microsoft .NET Framework 4.6/4.6.1/4.6.2Windows 10 for 32-bit Systems – Windows 10 for 32-bit Systems
• Microsoft / Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2Windows Server 2012 R2 (Server Core installation) – Windows Server 2012 R2 (Server Core installation)
• Microsoft / Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2Windows 7 for 32-bit Systems Service Pack 1 – Windows 7 for 32-bit Systems Service Pack 1
• Microsoft / Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2Windows 7 for x64-based Systems Service Pack 1 – Windows 7 for x64-based Systems Service Pack 1
• Microsoft / Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) – Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Microsoft / Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2Windows Server 2008 R2 for x64-based Systems Service Pack 1 – Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Microsoft / Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2Windows Server 2012 – Windows Server 2012
• Microsoft / Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2Windows Server 2012 (Server Core installation) – Windows Server 2012 (Server Core installation)
• Microsoft / Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2Windows 8.1 for 32-bit systems – Windows 8.1 for 32-bit systems
• Microsoft / Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2Windows 8.1 for x64-based systems – Windows 8.1 for x64-based systems
• Microsoft / Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2Windows Server 2012 R2 – Windows Server 2012 R2
• Microsoft / Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2Windows RT 8.1 – Windows RT 8.1
• Microsoft / Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systemsunspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systemsunspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows 10 Version 1703 for 32-bit Systemsunspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows 10 Version 1703 for x64-based Systemsunspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for 32-bit Systemsunspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for x64-based Systemsunspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for 32-bit Systemsunspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for x64-based Systemsunspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows 7 for 32-bit Systems Service Pack 1unspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows 7 for x64-based Systems Service Pack 1unspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows 8.1 for 32-bit systemsunspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows 8.1 for x64-based systemsunspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows RT 8.1unspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1unspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)unspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows Server 2012unspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows Server 2012 R2unspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation)unspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation)unspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows Server 2016unspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation)unspecified – unspecified
• Microsoft / Microsoft .NET Framework 4.8 on Windows Server, version 1803 (Server Core Installation)unspecified – unspecified
• Microsoft / Microsoft SharePoint Enterprise Server2016 – 2016
• Microsoft / Microsoft SharePoint Enterprise Server2013 Service Pack 1 – 2013 Service Pack 1
• Microsoft / Microsoft SharePoint Foundation2013 Service Pack 1 – 2013 Service Pack 1
• Microsoft / Microsoft SharePoint Foundation2010 Service Pack 2 – 2010 Service Pack 2
• Microsoft / Microsoft SharePoint Server2019 – 2019
• Microsoft / Windows7 for x64-based Systems Service Pack 1 – 7 for x64-based Systems Service Pack 1
• Microsoft / Windows7 for 32-bit Systems Service Pack 1 – 7 for 32-bit Systems Service Pack 1
• Microsoft / Windows10 Version 1709 for ARM64-based Systems – 10 Version 1709 for ARM64-based Systems
• Microsoft / Windows10 Version 1809 for ARM64-based Systems – 10 Version 1809 for ARM64-based Systems
• Microsoft / Windows10 Version 1809 for x64-based Systems – 10 Version 1809 for x64-based Systems
• Microsoft / Windows10 Version 1809 for 32-bit Systems – 10 Version 1809 for 32-bit Systems
• Microsoft / Windows10 Version 1803 for ARM64-based Systems – 10 Version 1803 for ARM64-based Systems
• Microsoft / Windows10 Version 1803 for x64-based Systems – 10 Version 1803 for x64-based Systems
• Microsoft / Windows10 Version 1803 for 32-bit Systems – 10 Version 1803 for 32-bit Systems
• Microsoft / Windows10 Version 1709 for x64-based Systems – 10 Version 1709 for x64-based Systems
• Microsoft / Windows10 Version 1709 for 32-bit Systems – 10 Version 1709 for 32-bit Systems
• Microsoft / Windows10 Version 1703 for x64-based Systems – 10 Version 1703 for x64-based Systems
• Microsoft / Windows10 Version 1703 for 32-bit Systems – 10 Version 1703 for 32-bit Systems
• Microsoft / Windows10 Version 1607 for x64-based Systems – 10 Version 1607 for x64-based Systems
• Microsoft / Windows10 Version 1607 for 32-bit Systems – 10 Version 1607 for 32-bit Systems
• Microsoft / Windows10 for x64-based Systems – 10 for x64-based Systems
• Microsoft / Windows10 for 32-bit Systems – 10 for 32-bit Systems
• Microsoft / WindowsRT 8.1 – RT 8.1
• Microsoft / Windows8.1 for x64-based systems – 8.1 for x64-based systems
• Microsoft / Windows8.1 for 32-bit systems – 8.1 for 32-bit systems
• Microsoft / Windows 10 Version 1903 for 32-bit Systemsunspecified – unspecified
• Microsoft / Windows 10 Version 1903 for ARM64-based Systemsunspecified – unspecified
• Microsoft / Windows 10 Version 1903 for x64-based Systemsunspecified – unspecified
• Microsoft / Windows Server2008 R2 for x64-based Systems Service Pack 1 – 2008 R2 for x64-based Systems Service Pack 1
• Microsoft / Windows Server2008 R2 for x64-based Systems Service Pack 1 (Core installation) – 2008 R2 for x64-based Systems Service Pack 1 (Core installation)
• Microsoft / Windows Server2008 R2 for Itanium-Based Systems Service Pack 1 – 2008 R2 for Itanium-Based Systems Service Pack 1
• Microsoft / Windows Server2008 for x64-based Systems Service Pack 2 (Core installation) – 2008 for x64-based Systems Service Pack 2 (Core installation)
• Microsoft / Windows Server2008 for x64-based Systems Service Pack 2 – 2008 for x64-based Systems Service Pack 2
• Microsoft / Windows Server2008 for 32-bit Systems Service Pack 2 – 2008 for 32-bit Systems Service Pack 2
• Microsoft / Windows Server2008 for Itanium-Based Systems Service Pack 2 – 2008 for Itanium-Based Systems Service Pack 2
• Microsoft / Windows Server2019 (Core installation) – 2019 (Core installation)
• Microsoft / Windows Server2019 – 2019
• Microsoft / Windows Serverversion 1803 (Core Installation) – version 1803 (Core Installation)
• Microsoft / Windows Server2016 (Core installation) – 2016 (Core installation)
• Microsoft / Windows Server2016 – 2016
• Microsoft / Windows Server2012 R2 (Core installation) – 2012 R2 (Core installation)
• Microsoft / Windows Server2012 R2 – 2012 R2
• Microsoft / Windows Server2012 (Core installation) – 2012 (Core installation)
• Microsoft / Windows Server2012 – 2012
• Microsoft / Windows Server2008 for 32-bit Systems Service Pack 2 (Core installation) – 2008 for 32-bit Systems Service Pack 2 (Core installation)
• Microsoft / Windows Server, version 1903 (Server Core installation)unspecified – unspecified

References

• VENDOR_ADVISORYhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1006