'Golden Ticket' SAML attack vector puts cloud apps at risk
'Golden Ticket' SAML attack vector puts cloud apps at risk

Security researchers have discovered a new attack vector dubbed “golden SAML”. The vector enables an attacker to create a golden SAML, which is basically a forged SAML “authentication object,” and authenticate across every service that uses SAML 2.0 protocol as an SSO mechanism.

In a blog post, researchers at CyberArk said that this technique could allow hackers to gain access to any application that supports SAML authentication (eg Azure, AWS, vSphere, etc) with any privileges they desire and be any user on the targeted application (even one that is non-existent in the application in some cases).

Shaked Reiner, a security researcher at CyberArk said that the technique is like a golden ticket attack. “if we have the key that signs the object which holds the user's identity and permissions (KRBTGT for golden ticket and token-signing private key for golden SAML), we can then forge such an “authentication object” (TGT or SAMLResponse) and impersonate any user to gain unauthorised access to the SP [service provider],” he said.

He added that in this attack, a hacker can control every aspect of the SAMLResponse object (eg username, permission set, validity period and more). In addition, golden SAMLs have the following advantages: they can be generated from practically anywhere; you don't need to be a part of a domain, federation of any other environment you're dealing with. They are effective even when 2FA is enabled; the token-signing private key is not renewed automatically; and changing a user's password won't affect the generated SAML.

He outlined a case where an attacker has compromised a target domain and is now trying to figure out how to continue the hunt for the final goal. “now trying to figure out how to continue your hunt for the final goal,” he said.

Reiner said that the attack doesn't rely on a vulnerability in SAML 2.0. “It's not a vulnerability in AWS/ADFS, nor in any other service or identity provider.”

He added that the Golden Ticket attack can't be treated as a vulnerability because an attacker has to have domain admin access in order to perform it. “That's why it's not being addressed by the appropriate vendors. The fact of the matter is, attackers are still able to gain this type of access (domain admin), and they are still using golden tickets to maintain stealthily persistent for even years in their target's domain,” he added.

Markus Tak, CTO of Kobil, told SC Media UK that organisations which are using Identity Providers such as SAML should make sure that the private keys of the SAML authority is properly protected, eg file system access rights are properly set and monitored on a regular basis.

“Also, SAML server vendors should be asked on how they handle the SAML assertion signing private key. For example, it might be better protected against theft using a Hardware Security Module (HSM), but this implies additional cost and might not be applicable in all cases,” he said.

Josh Mayfield, director at FireMon, told SC Media UK that mitigation steps can be taken to prevent or disrupt the effects from Golden SAML.  User authentication is rooted in attributes. 

“Take 2FA as an example.  2FA is one of three things that gives stronger assurance that the user is correct: 1) something you are (biometrics), 2) something you have (like an alphanumeric key), or 3) something you know (like a challenge question).  Using 2FA for strong authentication can prevent the Golden SAML from taking hold.  When you separate the IDP generating the SAML message with the 2FA provider, you can have built-in failover if the Golden SAML enters your environment,” he said.