Cyber security researchers have revealed a new attack technique called SAML Silver which can be successful even in cases where mitigations against Golden SAML attacks have been applied.
Silver SAML “allows you to leverage SAML to launch attacks from an identity provider such as Entra ID against applications configured to use it for authentication, such as Salesforce,” Semperis researchers Tomer Nahum and Eric Woodruff said in a report shared with The Hacker News.
Golden SAML (short for Security Assertion Markup Language) was first documented by CyberArk in 2017. The attack vector, simply put, involves abusing the interoperable authentication standard to impersonate almost any identity in an organization.
It is also similar to the Golden Ticket attack in that it grants attackers the ability to gain unauthorized access to any service in a federation with any privilege and to remain persistent in this environment stealthily.
“Golden SAML brings into a federation the benefits of the golden ticket in a Kerberos environment – from gaining any kind of access to stealthily maintaining persistence,” security researcher Shaked Reiner noted at the time.
Real-world attacks leveraging this method have been rare, with the first recorded use being the compromise of SolarWinds infrastructure to gain administrative access by forging SAML tokens using compromised SAML token signing certificates.
Golden SAML was also weaponized by an Iranian actor codenamed Peach Sandstorm in a March 2023 intrusion to access an unnamed target’s cloud resources without requiring any passwords, Microsoft revealed in September 2023.
The latest approach is a version of Golden SAML that works with an identity provider (IdP) such as Microsoft Entra ID (formerly Azure Active Directory) and does not require access to Active Directory Federation Services (AD FS). It has been rated as a moderate severity threat to organizations.
“Within Entra ID, Microsoft provides a self-signed certificate for signing the SAML response,” the researchers said. “Alternatively, organizations can choose to use an externally generated certificate like those from Okta. However, this option introduces a security risk.”
“Any attacker who obtains the private key of an externally generated certificate can spoof any SAML response they want and sign that response with the same private key held by Entra ID. With this type of spoofed SAML response, the attacker can then access the ‘application: like any user.’
Following responsible notification to Microsoft on January 2, 2024, the company said the issue does not meet the requirements for immediate support, but noted that it will take appropriate actions necessary to safeguard customers.
While there is no evidence that Silver SAML has been wildly exploited, organizations are required to only use Entra ID self-signed certificates for SAML signing purposes. Semperis has also made available a proof-of-concept (PoC) called SilverSAMLForger for creating custom SAML responses.
“Organizations can monitor Sign ID audit logs for changes to PreferredTokenSigningKeyThumbprint in ApplicationManagement,” the researchers said.
“You will need to correlate these events with the Add service principal credential events related to the service principal. Rotating expired certificates is a common process, so you will need to determine whether the audit events are legitimate. Implementing change control processes to document rotation can help minimize confusion during rotation events.”