Story image

'Golden SAML' attack technique can bypass authentication controls

22 Nov 17

Researchers from CyberArk Labs have uncovered a new cyber attack technique that ‘poses serious risk’, but vendors are not doing much about it.

According to the CyberArk research team, the ‘Golden SAML’ technique is a risk because attackers can fake any identity and use it to gain authentication with any cloud application, including AWS and Azure.

The attackers can use their authentication to gain the highest privilege levels and gain approved, federated access to a targeted application.

Researcher Shaked Reiner explains that the attacker can authenticate across every service that uses security assertion markup language (SAML) 2.0 as a single sign-on (SSO) mechanism.

“The SAML protocol is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider,” Reiner says.

He explains that Active Directory isn’t necessarily the only tool that can authenticate and authorise users. It can be part of something bigger, known as a federation.

“A federation enables trust between different environments otherwise not related, like Microsoft AD, Azure, AWS and many others. This trust allows a user in an AD, for example, to be able to enjoy SSO benefits to all the trusted environments in such federation. Talking about a federation, an attacker will no longer suffice in dominating the domain controller of his victim,” Reiner explains.

Golden SAMLs can be created from anywhere, can work even when organisations use two-factor authentication and password changes won’t affect any generated SAML.

A golden SAML attack involves:

  • Token-signing private key
  • IdP public certificate
  • IdP name
  • Role name (role to assume)
  • Domain\username
  • Role session name in AWS
  • Amazon account ID

However, he says that vendors are not applying fixes.

"It’s not a vulnerability per se, but it gives attackers the ability to gain unauthorised access to any service in a federation (assuming it uses SAML, of course) with any privileges and to stay persistent in this environment in a stealthy manner."

“Golden SAML is rather similar. It’s not a vulnerability per se, but it gives attackers the ability to gain unauthorized access to any service in a federation (assuming it uses SAML, of course) with any privileges and to stay persistent in this environment in a stealthy manner.”

He also says that these types of attacks would be difficult to detect in a network.

“Moreover, according to the ‘assume breach’ paradigm, attackers will probably target the most valuable assets in the organisation.

He suggests that organisations implement endpoint security solutions that offer privilege management. These will benefit organisations and can stop attackers from gaining unauthorised access.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.