sb-as logo
Story image

'Golden SAML' attack technique can bypass authentication controls

22 Nov 2017

Researchers from CyberArk Labs have uncovered a new cyber attack technique that ‘poses serious risk’, but vendors are not doing much about it.

According to the CyberArk research team, the ‘Golden SAML’ technique is a risk because attackers can fake any identity and use it to gain authentication with any cloud application, including AWS and Azure.

The attackers can use their authentication to gain the highest privilege levels and gain approved, federated access to a targeted application.

Researcher Shaked Reiner explains that the attacker can authenticate across every service that uses security assertion markup language (SAML) 2.0 as a single sign-on (SSO) mechanism.

“The SAML protocol is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider,” Reiner says.

He explains that Active Directory isn’t necessarily the only tool that can authenticate and authorise users. It can be part of something bigger, known as a federation.

“A federation enables trust between different environments otherwise not related, like Microsoft AD, Azure, AWS and many others. This trust allows a user in an AD, for example, to be able to enjoy SSO benefits to all the trusted environments in such federation. Talking about a federation, an attacker will no longer suffice in dominating the domain controller of his victim,” Reiner explains.

Golden SAMLs can be created from anywhere, can work even when organisations use two-factor authentication and password changes won’t affect any generated SAML.

A golden SAML attack involves:

  • Token-signing private key
  • IdP public certificate
  • IdP name
  • Role name (role to assume)
  • Domain\username
  • Role session name in AWS
  • Amazon account ID

However, he says that vendors are not applying fixes.

"It’s not a vulnerability per se, but it gives attackers the ability to gain unauthorised access to any service in a federation (assuming it uses SAML, of course) with any privileges and to stay persistent in this environment in a stealthy manner."

“Golden SAML is rather similar. It’s not a vulnerability per se, but it gives attackers the ability to gain unauthorized access to any service in a federation (assuming it uses SAML, of course) with any privileges and to stay persistent in this environment in a stealthy manner.”

He also says that these types of attacks would be difficult to detect in a network.

“Moreover, according to the ‘assume breach’ paradigm, attackers will probably target the most valuable assets in the organisation.

He suggests that organisations implement endpoint security solutions that offer privilege management. These will benefit organisations and can stop attackers from gaining unauthorised access.

Story image
Microsoft Exchange breach a wake-up call to ditch the server
"There are owners who still have in-house exchange servers because they are suspicious of the cloud or have concerns about their data sovereignty or don't want to contemplate the capital expenditure. But the warning is clear. Get rid of them."More
Story image
5G network security a US$9 billion dollar opportunity - report
The cloud-native nature of 5G networks will have a disruptive and positive impact on the cybersecurity industry in the next few years, with 5G network security presenting a US$9 billion enterprise market opportunity by 2025.More
Story image
ThreatQuotient hits $22.5m in new financing, continues growth streak
“Since we first invested in ThreatQuotient in 2017, their team has continued to prove to the market that there is a critical need for cybersecurity solutions aimed at security operations."More
Story image
Advanced threat actors engaged in cyberespionage up their game
"This recent activity signals a major leap in their abilities."More
Story image
Enterprises underutilising security tools, causing teams to burn out
The report unveiled a lack of meaningful ROI metrics when reporting on security progress, as well as disparate opinions on objectives, tool effectiveness and security awareness amongst the organisation between executives and operations on security teams.More
Story image
McAfee brings on new partners in push for zero trust security
"Together with our SIA partners, we are strengthening security for the critical apps that enterprises rely on every day."More