Story image

'Golden SAML' attack technique can bypass authentication controls

22 Nov 2017

Researchers from CyberArk Labs have uncovered a new cyber attack technique that ‘poses serious risk’, but vendors are not doing much about it.

According to the CyberArk research team, the ‘Golden SAML’ technique is a risk because attackers can fake any identity and use it to gain authentication with any cloud application, including AWS and Azure.

The attackers can use their authentication to gain the highest privilege levels and gain approved, federated access to a targeted application.

Researcher Shaked Reiner explains that the attacker can authenticate across every service that uses security assertion markup language (SAML) 2.0 as a single sign-on (SSO) mechanism.

“The SAML protocol is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider,” Reiner says.

He explains that Active Directory isn’t necessarily the only tool that can authenticate and authorise users. It can be part of something bigger, known as a federation.

“A federation enables trust between different environments otherwise not related, like Microsoft AD, Azure, AWS and many others. This trust allows a user in an AD, for example, to be able to enjoy SSO benefits to all the trusted environments in such federation. Talking about a federation, an attacker will no longer suffice in dominating the domain controller of his victim,” Reiner explains.

Golden SAMLs can be created from anywhere, can work even when organisations use two-factor authentication and password changes won’t affect any generated SAML.

A golden SAML attack involves:

  • Token-signing private key
  • IdP public certificate
  • IdP name
  • Role name (role to assume)
  • Domain\username
  • Role session name in AWS
  • Amazon account ID

However, he says that vendors are not applying fixes.

"It’s not a vulnerability per se, but it gives attackers the ability to gain unauthorised access to any service in a federation (assuming it uses SAML, of course) with any privileges and to stay persistent in this environment in a stealthy manner."

“Golden SAML is rather similar. It’s not a vulnerability per se, but it gives attackers the ability to gain unauthorized access to any service in a federation (assuming it uses SAML, of course) with any privileges and to stay persistent in this environment in a stealthy manner.”

He also says that these types of attacks would be difficult to detect in a network.

“Moreover, according to the ‘assume breach’ paradigm, attackers will probably target the most valuable assets in the organisation.

He suggests that organisations implement endpoint security solutions that offer privilege management. These will benefit organisations and can stop attackers from gaining unauthorised access.

Forget endpoints—it’s time to secure people instead
Security used to be much simpler: employees would log in to their PC at the beginning of the working day and log off at the end. That PC wasn’t going anywhere, as it was way too heavy to lug around.
DimData: Fear finally setting in amongst vulnerable orgs
New data ranking the ‘cybermaturity’ of organisations reveals the most commonly targeted sectors are also the most prepared to deal with the ever-evolving threat landscape.
IXUP goes "post-quantum" with security tech upgrade
The secure analytics company has also partnered with Deloitte as a reseller, and launched a SaaS offering on Microsoft Azure.
ExtraHop’s new partner program for enterprise security
New accreditations and partner portal enable channel partners to fast-track their expertise and build their security businesses.
Hackers increasingly ‘island hopping’ – so what does it mean?
Carbon Black's Rick McElroy discusses this new trend and what it means for the new age of cybercrime.
Trust without visibility is blind – Avi Networks
Enterprises are wanting to gain the trust of their customers, but are often found blindly defending themselves.
How to avoid becoming a cryptojacking victim - Bitglass
Large-scale cryptojacking is a lucrative business due to the popularity and value of cryptocurrencies like Bitcoin and Ethereum.
Symantec, Ixia combine efforts to secure hybrid networks
Ixia’s CloudLens and Symantec Security Analytics now feature complete integration, which allows Symantec customers to gain real-time visibility into their hybrid cloud environments.