Story image

'Golden SAML' attack technique can bypass authentication controls

22 Nov 2017

Researchers from CyberArk Labs have uncovered a new cyber attack technique that ‘poses serious risk’, but vendors are not doing much about it.

According to the CyberArk research team, the ‘Golden SAML’ technique is a risk because attackers can fake any identity and use it to gain authentication with any cloud application, including AWS and Azure.

The attackers can use their authentication to gain the highest privilege levels and gain approved, federated access to a targeted application.

Researcher Shaked Reiner explains that the attacker can authenticate across every service that uses security assertion markup language (SAML) 2.0 as a single sign-on (SSO) mechanism.

“The SAML protocol is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider,” Reiner says.

He explains that Active Directory isn’t necessarily the only tool that can authenticate and authorise users. It can be part of something bigger, known as a federation.

“A federation enables trust between different environments otherwise not related, like Microsoft AD, Azure, AWS and many others. This trust allows a user in an AD, for example, to be able to enjoy SSO benefits to all the trusted environments in such federation. Talking about a federation, an attacker will no longer suffice in dominating the domain controller of his victim,” Reiner explains.

Golden SAMLs can be created from anywhere, can work even when organisations use two-factor authentication and password changes won’t affect any generated SAML.

A golden SAML attack involves:

  • Token-signing private key
  • IdP public certificate
  • IdP name
  • Role name (role to assume)
  • Domain\username
  • Role session name in AWS
  • Amazon account ID

However, he says that vendors are not applying fixes.

"It’s not a vulnerability per se, but it gives attackers the ability to gain unauthorised access to any service in a federation (assuming it uses SAML, of course) with any privileges and to stay persistent in this environment in a stealthy manner."

“Golden SAML is rather similar. It’s not a vulnerability per se, but it gives attackers the ability to gain unauthorized access to any service in a federation (assuming it uses SAML, of course) with any privileges and to stay persistent in this environment in a stealthy manner.”

He also says that these types of attacks would be difficult to detect in a network.

“Moreover, according to the ‘assume breach’ paradigm, attackers will probably target the most valuable assets in the organisation.

He suggests that organisations implement endpoint security solutions that offer privilege management. These will benefit organisations and can stop attackers from gaining unauthorised access.

Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."
D-Link hooks up with Alexa and Assistant with new smart camera
The new camera is designed for outdoor use within a wireless smart home network.
Slack users urged to update to prevent security vulnerability
Businesses that use popular messaging platform Slack are being urged to update their Slack for Windows to version 3.4.0 immediately.
Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."