News Stay informed about the latest enterprise technology news and product updates.

New SAML vulnerability enables abuse of single sign-on

Duo Security discovered a new SAML flaw affecting several single sign-on vendors that allows attackers to fool SSO systems and log in as other users without their passwords.

A newly disclosed SAML vulnerability allows attackers to fool single sign-on systems and authenticate themselves...

as other users.

The flaw in SAML (Security Assertion Markup Language), an open standard protocol for identity and access management, was discovered by multifactor authentication provider Duo Security, Inc., which found the vulnerability in one of its own products as well as five other products from different vendors. According to Duo Security, the SAML vulnerability allows a threat actor who already has authenticated access in a single sign-on (SSO) system to authenticate as another user without that individual's SSO password.

Kelby Ludwig, senior application security engineer at Duo Security, discovered the SAML vulnerability in the Duo Network Gateway while conducting an internal product review. Soon after, he found the flaw lurking in other SSO products from OneLogin, Clever, OmniAuth and Shibboleth.

The SAML vulnerability involves how open source libraries, including Python's lxml or Ruby's REXML, handle XML comments in SAML responses. An attacker who obtains login credentials for an SSO user (through a phishing email, for example) can intercept a SAML response from the SSO system to the application requesting authentication. The attacker can then alter the XML-based response to sign in as an entirely different user.

"Exploitation of the bug is very simple," he said. "It just requires intercepting the SAML message and changing seven characters."

According to Ludwig's report, identity providers that allow open registration of accounts are especially vulnerable to the SAML flaw, while manually provisioned accounts make exploitation much more difficult.

Ludwig explained the flaw could be used by threat actors to jump from one, low-level user within an organization to a C-level user or administrator with privileged access. While not all SSO providers that use SAML are affected, he cautioned that it could affect more organizations that use SAML and certain open source libraries beyond the five vendors.

"It's not a flaw with the SAML protocol itself. It's more of a misunderstanding in how it is used," he told SearchSecurity. "We strongly suspect this will affect other vendors for years to come."

We strongly suspect this will affect other vendors for years to come.
Kelby Ludwigsenior application security engineer at Duo Security

The CERT Division of Carnegie Mellon University's Software Engineering Institute coordinated with Duo Security on disclosure of the SAML vulnerability and issued an advisory Tuesday. In addition to the affected vendors disclosed by Duo Security, the CERT advisory also listed other companies that may be affected by the flaw, including Microsoft, Google and Box, listing their status as "unknown."

Duo Security and other affected vendors released updates that addressed the SAML flaw. Ludwig recommended that other vendors check their SAML processing libraries to make sure they aren't affected by the vulnerability. In addition, he recommended enabling two-factor authentication for SSO systems.

Dig Deeper on Single-sign on (SSO) and federated identity

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization use SAML-based identity providers? How are your mitigation this potential risk?
We're using Microsoft's ADFS for SAML.Do you have a link to CERT's advisory for this? I can't find anything related on their site.
Here is the CERT advisory. Also, the list has been updated and Microsoft has been removed from the list, so maybe they're in the clear. But I'll double check Duo's research post -- it's more detailed about the different types of SSO/SAML implementations and open source libraries affected.
We are using Apache CXF 2.7.13 libraries for SAML SP server implementation. Is this libraries affected by this vulnerability?
It's not currently on the list of known affected libraries, but that doesn't mean it's NOT affected. This is why this particular vulnerability is concerning/challenging -- it's unclear what the scope is at this point. In light of that, Duo Security offered some mitigation methods that are worth exploring until Apache CXF has been ruled out.