Researchers reveal cloud identity has a nasty Silver SAML lining for SolarWinds users
Table Of Contents−
Researchers at enterprise identity services specialist Semperis have today warned that a new compromise methodology could hit SolarWinds users. Named Silver SAML, it is similar to Golden SAML that was used in the massive SolarWinds attack of 2020 – and could be used against those who followed mitigation advice after that incident.
What is Golden SAML?
Golden SAML exploited Security Assertion Markup Language (SAML), a single sign-on authentication protocol. It was part of a post-breach attack following one of the largest breaches known this century, the SolarWinds incident that impacted around 200 organisations on 13 December 2020.
Although the attack, by Russian state-sponsored threat group Cozy Bear, involved malicious code deployment via the Orion IT management and monitoring software from SolarWinds, Golden SAML was used, post-exploit, to extract signing certificates from Active Directory Federation Services (ADFS). These were then used to forge SAML authentication responses.
The US Cybersecurity and Infrastructure Security Agency (CISA) recommended that organisations move such authentication to cloud-based identity systems as part of their SolarWinds incident remediation advice.
Now, according to this new discovery, organisations that followed the CISA advice could be vulnerable to a similar attack, known as Silver SAML.
What is Silver SAML?
Many organisations use Microsoft Entra ID as an identity provider for software-as-a-service applications, and SAML is the primary means of authentication for these.
Companies can opt to use an externally generated certificate for SAML and, the researchers, Tomer Nahum and Eric Woodruff, reveal that it is this that opens them to a new security threat.
“Any attacker that obtains the private key of an externally generated certificate can forge any SAML response they want and sign that response with the same private key that Entra ID holds,” they say. “With this type of forged SAML response, the attacker can then access the application – essentially as any user.”
How serious is Silver SAML?
Today’s report says that while the proof of concept discussed is focussed on Entra ID, Silver SAML can affect any identity provider allowing externally generated SAML certificates to be imported. The researchers have created and released a tool, SilverSAMLForger, that can forge such signed SAML responses.
Although the researchers have only rated the Silver SAML vulnerability as a moderate risk, and to the best of their knowledge there have been no attacks in the wild so far, it does have the potential to be uprated.
“Depending on the compromised system, should Silver SAML be used to gain unauthorised access to business-critical applications and systems, the risk is severe,” they say.
Mitigating against a Silver SAML attack
Fortunately, there is a simple and effective mitigation against Silver SAML attacks against Entra ID, which you may have already guessed: “Your organisation should use only Entra ID self-signed certificates for SAML signing purposes.”
You can read the full technical report here.
More cybersecurity coverage
- The X-Force Files: report says security fundamentals, not AI attacks, dominate the threat landscape
- Octo Tempest: the hacking group that resorts to death threats
- Sonatype reveals shocking numbers of malicious threats in open-source software supply chain
- What the phantom hacker scam is and why everyone should be scared
NEXT UP
Lenovo ThinkPad X1 Carbon Gen 13 Aura Edition review: first look at this ultra-slim business laptop
Here’s our first-look review of the Lenovo ThinkPad X1 Carbon Gen 13 Aura Edition, which we played with during a private briefing at IFA 2024
Hackers beware: UK data centres now have critical national infrastructure protection (CNI)
UK government beefs up national security by adding CNI status to its data centres – here’s why it should help
Hans-Martin Zogg, Business Director TPS, Leica Geosystems: “Ensuring accurate, tamper-free measurements in high-pressure environments is a complex problem”
If you’ve ever wanted to know how Olympics organisers measured distances thrown in field events, Hans-Martin Zogg, Business Director TPS, Leica Geosystems, has the answer.