sb-au logo
Story image

'Golden SAML' attack technique can bypass authentication controls

22 Nov 2017

Researchers from CyberArk Labs have uncovered a new cyber attack technique that ‘poses serious risk’, but vendors are not doing much about it.

According to the CyberArk research team, the ‘Golden SAML’ technique is a risk because attackers can fake any identity and use it to gain authentication with any cloud application, including AWS and Azure.

The attackers can use their authentication to gain the highest privilege levels and gain approved, federated access to a targeted application.

Researcher Shaked Reiner explains that the attacker can authenticate across every service that uses security assertion markup language (SAML) 2.0 as a single sign-on (SSO) mechanism.

“The SAML protocol is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider,” Reiner says.

He explains that Active Directory isn’t necessarily the only tool that can authenticate and authorise users. It can be part of something bigger, known as a federation.

“A federation enables trust between different environments otherwise not related, like Microsoft AD, Azure, AWS and many others. This trust allows a user in an AD, for example, to be able to enjoy SSO benefits to all the trusted environments in such federation. Talking about a federation, an attacker will no longer suffice in dominating the domain controller of his victim,” Reiner explains.

Golden SAMLs can be created from anywhere, can work even when organisations use two-factor authentication and password changes won’t affect any generated SAML.

A golden SAML attack involves:

  • Token-signing private key
  • IdP public certificate
  • IdP name
  • Role name (role to assume)
  • Domain\username
  • Role session name in AWS
  • Amazon account ID

However, he says that vendors are not applying fixes.

"It’s not a vulnerability per se, but it gives attackers the ability to gain unauthorised access to any service in a federation (assuming it uses SAML, of course) with any privileges and to stay persistent in this environment in a stealthy manner."

“Golden SAML is rather similar. It’s not a vulnerability per se, but it gives attackers the ability to gain unauthorized access to any service in a federation (assuming it uses SAML, of course) with any privileges and to stay persistent in this environment in a stealthy manner.”

He also says that these types of attacks would be difficult to detect in a network.

“Moreover, according to the ‘assume breach’ paradigm, attackers will probably target the most valuable assets in the organisation.

He suggests that organisations implement endpoint security solutions that offer privilege management. These will benefit organisations and can stop attackers from gaining unauthorised access.

Story image
Women in tech: Equality journey not over
The idea of gender equality represents more than just physical bodies through doors. It is also the notion of perceptions, feelings, stereotypes and opportunity.More
Story image
Quantum extends Veeam partnership in a bid to protect against ransomware
“Quantum continues to expand its partnership with us and we are pleased to add ActiveScale object storage to a select group of S3 targets that can provide robust ransomware protection for our joint customers."More
Story image
rhipe launches security solution for SMEs in APAC region
SmartEncrypt has been developed to complement businesses existing security and business continuity strategies and provide smaller to medium enterprises the levels of digital protection typically reserved for big business.More
Story image
WatchGuard rolls out updates to bring greater security to MSPs
"WatchGuard Cloud’s continued evolution is lowering the barrier to entry for MSPs to add security to their portfolios and solidifying it as the management platform of choice for the security channel.”More
Story image
CyberCX and AustCyber launch platform to boost Aus cybersecurity industry
"Australia has some of the best cyber talent in the world, but we need to expand the supply of talent coming through the pipeline if we are to have a vibrant and globally competitive economy."More
Story image
Latest Tenable launch provides holistic approach to vulnerability management
Tenable.ep is reportedly the industry’s first, all-in-one, risk-based vulnerability management platform designed to scale as dynamic compute requirements change.More