Researchers reveal cloud identity has a nasty Silver SAML lining for SolarWinds users

Researchers at enterprise identity services specialist Semperis have today warned that a new compromise methodology could hit SolarWinds users. Named Silver SAML, it is similar to Golden SAML that was used in the massive SolarWinds attack of 2020 – and could be used against those who followed mitigation advice after that incident.

What is Golden SAML?

Golden SAML exploited Security Assertion Markup Language (SAML), a single sign-on authentication protocol. It was part of a post-breach attack following one of the largest breaches known this century, the SolarWinds incident that impacted around 200 organisations on 13 December 2020.

Although the attack, by Russian state-sponsored threat group Cozy Bear, involved malicious code deployment via the Orion IT management and monitoring software from SolarWinds, Golden SAML was used, post-exploit, to extract signing certificates from Active Directory Federation Services (ADFS). These were then used to forge SAML authentication responses.

The US Cybersecurity and Infrastructure Security Agency (CISA) recommended that organisations move such authentication to cloud-based identity systems as part of their SolarWinds incident remediation advice.

Now, according to this new discovery, organisations that followed the CISA advice could be vulnerable to a similar attack, known as Silver SAML.

What is Silver SAML?

Many organisations use Microsoft Entra ID as an identity provider for software-as-a-service applications, and SAML is the primary means of authentication for these.

Companies can opt to use an externally generated certificate for SAML and, the researchers, Tomer Nahum and Eric Woodruff, reveal that it is this that opens them to a new security threat.

“Any attacker that obtains the private key of an externally generated certificate can forge any SAML response they want and sign that response with the same private key that Entra ID holds,” they say. “With this type of forged SAML response, the attacker can then access the application – essentially as any user.”

How serious is Silver SAML?

Today’s report says that while the proof of concept discussed is focussed on Entra ID, Silver SAML can affect any identity provider allowing externally generated SAML certificates to be imported. The researchers have created and released a tool, SilverSAMLForger, that can forge such signed SAML responses.

Although the researchers have only rated the Silver SAML vulnerability as a moderate risk, and to the best of their knowledge there have been no attacks in the wild so far, it does have the potential to be uprated.

“Depending on the compromised system, should Silver SAML be used to gain unauthorised access to business-critical applications and systems, the risk is severe,” they say.

Mitigating against a Silver SAML attack

Fortunately, there is a simple and effective mitigation against Silver SAML attacks against Entra ID, which you may have already guessed: “Your organisation should use only Entra ID self-signed certificates for SAML signing purposes.”

You can read the full technical report here.