Home Security New Silver SAML Attack Evades Golden SAML Defenses in Identity Systems

New Silver SAML Attack Evades Golden SAML Defenses in Identity Systems

by crpt os


Feb 29, 2024NewsroomThreat Intelligence / Cyber Threat

Cybersecurity researchers have disclosed a new attack technique called Silver SAML that can be successful even in cases where mitigations have been applied against Golden SAML attacks.

Silver SAML “enables the exploitation of SAML to launch attacks from an identity provider like Entra ID against applications configured to use it for authentication, such as Salesforce,” Semperis researchers Tomer Nahum and Eric Woodruff said in a report shared with The Hacker News.

Golden SAML (short for Security Assertion Markup Language) was first documented by CyberArk in 2017. The attack vector, in a nutshell, entails the abuse of the interoperable authentication standard to impersonate almost any identity in an organization.

It’s also similar to the Golden Ticket attack in that it grants attackers the ability to gain unauthorized access to any service in a federation with any privileges and to stay persistent in this environment in a stealthy manner.

Cybersecurity

“Golden SAML introduces to a federation the advantages that golden ticket offers in a Kerberos environment – from gaining any type of access to stealthily maintaining persistency,” security researcher Shaked Reiner noted at the time.

Real-world attacks leveraging the method have been rare, the first recorded use being the compromise of SolarWinds infrastructure to gain administrative access by forging SAML tokens using compromised SAML token signing certificates.

Golden SAML has also been weaponized by an Iranian threat actor codenamed Peach Sandstorm in a March 2023 intrusion to access an unnamed target’s cloud resources sans requiring any password, Microsoft revealed late last year.

Silver SAML Attack

The latest approach is a spin on Golden SAML that works with an identity provider (IdP) like Microsoft Entra ID (formerly Azure Active Directory) and doesn’t require access to the Active Directory Federation Services (AD FS). It has been assessed as a moderate-severity threat to organizations.

“Within Entra ID, Microsoft provides a self-signed certificate for SAML response signing,” the researchers said. “Alternatively, organizations can choose to use an externally generated certificate such as those from Okta. However, that option introduces a security risk.”

“Any attacker that obtains the private key of an externally generated certificate can forge any SAML response they want and sign that response with the same private key that Entra ID holds. With this type of forged SAML response, the attacker can then access the application — as any user.”

Following responsible disclosure to Microsoft on January 2, 2024, the company said the issue does not meet its bar for immediate servicing, but noted it will take appropriate action as needed to safeguard customers.

Cybersecurity

While there is no evidence that Silver SAML has been exploited in the wild, organizations are required to use only Entra ID self-signed certificates for SAML signing purposes. Semperis has also made available a proof-of-concept (PoC) dubbed SilverSAMLForger to create custom SAML responses.

“Organizations can monitor Entra ID audit logs for changes to PreferredTokenSigningKeyThumbprint under ApplicationManagement,” the researchers said.

“You will need to correlate those events to Add service principal credential events that relate to the service principal. The rotation of expired certificates is a common process, so you will need to determine whether the audit events are legitimate. Implementing change control processes to document the rotation can help to minimize confusion during rotation events.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex