michelangelus - Fotolia

New SAML vulnerability enables abuse of single sign-on

Duo Security discovered a new SAML flaw affecting several single sign-on vendors that allows attackers to fool SSO systems and log in as other users without their passwords.

A newly disclosed SAML vulnerability allows attackers to fool single sign-on systems and authenticate themselves as other users.

The flaw in SAML (Security Assertion Markup Language), an open standard protocol for identity and access management, was discovered by multifactor authentication provider Duo Security, Inc., which found the vulnerability in one of its own products as well as five other products from different vendors. According to Duo Security, the SAML vulnerability allows a threat actor who already has authenticated access in a single sign-on (SSO) system to authenticate as another user without that individual's SSO password.

Kelby Ludwig, senior application security engineer at Duo Security, discovered the SAML vulnerability in the Duo Network Gateway while conducting an internal product review. Soon after, he found the flaw lurking in other SSO products from OneLogin, Clever, OmniAuth and Shibboleth.

The SAML vulnerability involves how open source libraries, including Python's lxml or Ruby's REXML, handle XML comments in SAML responses. An attacker who obtains login credentials for an SSO user (through a phishing email, for example) can intercept a SAML response from the SSO system to the application requesting authentication. The attacker can then alter the XML-based response to sign in as an entirely different user.

"Exploitation of the bug is very simple," he said. "It just requires intercepting the SAML message and changing seven characters."

According to Ludwig's report, identity providers that allow open registration of accounts are especially vulnerable to the SAML flaw, while manually provisioned accounts make exploitation much more difficult.

Ludwig explained the flaw could be used by threat actors to jump from one, low-level user within an organization to a C-level user or administrator with privileged access. While not all SSO providers that use SAML are affected, he cautioned that it could affect more organizations that use SAML and certain open source libraries beyond the five vendors.

"It's not a flaw with the SAML protocol itself. It's more of a misunderstanding in how it is used," he told SearchSecurity. "We strongly suspect this will affect other vendors for years to come."

We strongly suspect this will affect other vendors for years to come.
Kelby Ludwigsenior application security engineer at Duo Security

The CERT Division of Carnegie Mellon University's Software Engineering Institute coordinated with Duo Security on disclosure of the SAML vulnerability and issued an advisory Tuesday. In addition to the affected vendors disclosed by Duo Security, the CERT advisory also listed other companies that may be affected by the flaw, including Microsoft, Google and Box, listing their status as "unknown."

Duo Security and other affected vendors released updates that addressed the SAML flaw. Ludwig recommended that other vendors check their SAML processing libraries to make sure they aren't affected by the vulnerability. In addition, he recommended enabling two-factor authentication for SSO systems.

Dig Deeper on Identity and access management