Wednesday, January 15, 2025
HomeCVE/vulnerabilityNew Silver SAML Attack Let Attackers Forge Any SAML Response To Entra...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

Published on

SolarWinds cyberattack was one of the largest attacks of the century in which attackers used the Golden SAML attack in post-breach exploitation to affect thousands of organizations all over the world including the United States government for deploying malicious code into Orion IT management and monitoring software. 

After the massive cyberattack, CISA recommended hybrid environment organizations to move to a cloud identity system such as Entra ID.

However, a new technique dubbed Silver SAML has been discovered which could bypass security recommendations and exploit Entra ID using applications.

Though this vulnerability has been rated as MODERATE risk to organizations, depending upon the compromised system, this Silver SAML authentication can be used to gain unauthorized access to business-critical applications that pose a SEVERE risk.

Silver SAML Attack

According to the reports shared with Cyber Security News, Entra ID is used by several organizations that use SAML for authenticating into applications.

However, this Entra ID uses a self-signed certificate for SAML response signing. Additionally, organizations can also use externally generated certificates to sign the SAML.

Silver SAML attack workflow (Source: Semperis)

Golden SAML authentication is well-known for its extraction of signing certificates from Active Directory Federation Services and using them to forge SAML authentication responses.

The Silver SAML attack does not use the ADFS in Microsoft Entra ID.

Suppose an attacker obtains the private key of an externally generated certificate. In that case, the attacker can forge any SAML response as they please and sign the response with the same private key that Entra ID holds.

If this attack is successful, the attacker can gain access to the application as any user.

Issue Behind SAML And Signing Certificates

The main issue with the SAML and signing certificates is that most of the organizations do not correctly manage signing certificates.

Additionally, the SAML security is weakened as they use externally signed certificates.

In addition to this, these externally signed certificates are also used to send certificate PFX files and passwords using insecure channels like Teams or Slack.

Even for organizations that use Azure Key Vault, a secure place to store self-signed certificates can also be infiltrated and extracted the keys.

Apart from this, organizations also manage SAML signing certificates externally instead of using the Entra ID.

Performing A Silver SAML Attack

To launch the attack in a Service Provided initiated flow, a threat actor needs to intercept the SAML request and replace the contents of the SAML response with a forged SAML response which could be done using an intercepting proxy such as Burp Suite.

An example of this attack was demonstrated with the test flow by researchers. The SAML response for a user oktaAdministrator@xd6z7.onmicrosoft.com was intercepted.

For exploitation, some of the SAML claims information such as UPN (User Principal Name), surname, firstname, displayName, and objectID need to be collected, which can be done using the Entra admin center or Microsoft Graph API.

Intercepting the SAML response (Source: Semperis)

With the researchers created tool “SilverSAMLForger”, the required parameters are generated as a base64 and URL encoded output string.

This forged SAML response can then be used to replace the SAML response in the intercepted response, making the application log in as a targeted user.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Aembit Announces Speaker Lineup for the Inaugural NHIcon

Aembit, the non-human identity and access management (IAM) company, unveiled the full agenda for...

Sweet Security Introduces Patent-Pending LLM-Powered Detection Engine, Reducing Cloud Detection Noise to 0.04%

Sweet Security, a leader in cloud runtime detection and response, today announced the launch...

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

Hackers Exploiting Fortinet Zero-day Vulnerability In Wild To Gain Super-Admin Privileges

A critical zero-day vulnerability in Fortinet's FortiOS and FortiProxy products is being actively exploited...