新的Silver SAML攻击在身份系统中规避了Golden SAML的防御

Cybersecurity researchers have disclosed a new attack technique called Silver SAML that can be successful even in cases where mitigations have been applied against Golden SAML attacks.

网络安全研究人员披露了一种名为Silver SAML的新攻击技术，即使已经对Golden SAML攻击采取了防范措施，Silver SAML攻击也可能成功。

Silver SAML "enables the exploitation of SAML to launch attacks from an identity provider like Entra ID against applications configured to use it for authentication, such as Salesforce," Semperis researchers Tomer Nahum and Eric Woodruff said in a report shared with The Hacker News.

Silver SAML"利用SAML进行攻击，从身份提供者（如Entra ID）对配置为使用该身份提供者进行身份验证的应用程序（如Salesforce）进行攻击，"Semperis研究人员Tomer Nahum和Eric Woodruff在与《黑客新闻》分享的报告中表示。

Golden SAML (short for Security Assertion Markup Language) was first documented by CyberArk in 2017. The attack vector, in a nutshell, entails the abuse of the interoperable authentication standard to impersonate almost any identity in an organization.

Golden SAML（Security Assertion Markup Language的缩写）于2017年首次由CyberArk记录。简言之，这种攻击向利用认证标准的互操作性来冒充组织中几乎任何身份。

It's also similar to the Golden Ticket attack in that it grants attackers the ability to gain unauthorized access to any service in a federation with any privileges and to stay persistent in this environment in a stealthy manner.

它也类似于Golden Ticket攻击，允许攻击者获得未经授权访问联邦中任何服务的能力，并以隐蔽的方式在此环境中保持持久性。

"Golden SAML introduces to a federation the advantages that golden ticket offers in a Kerberos environment – from gaining any type of access to stealthily maintaining persistency," security researcher Shaked Reiner noted at the time.

"Golden SAML在联邦中引入了金票据在Kerberos环境中提供的优势 - 从获取任何类型的访问权限到隐蔽地保持持久性，"安全研究人员Shaked Reiner当时指出。

Real-world attacks leveraging the method have been rare, the first recorded use being the compromise of SolarWinds infrastructure to gain administrative access by forging SAML tokens using compromised SAML token signing certificates.

利用这种方法进行的现实世界攻击很少见，第一次记录的使用是通过使用被篡改的SAML令牌签名证书伪造SAML令牌来获得SolarWinds基础设施的管理访问权限。

Golden SAML has also been weaponized by an Iranian threat actor codenamed Peach Sandstorm in a March 2023 intrusion to access an unnamed target's cloud resources sans requiring any password, Microsoft revealed in September 2023.

Golden SAML还被伊朗威胁演员代号为Peach Sandstorm的威胁演员在2023年3月入侵中利用，以访问一个未命名目标的云资源，而无需任何密码，Microsoft在2023年9月透露。

The latest approach is a spin on Golden SAML that works with an identity provider (IdP) like Microsoft Entra ID (formerly Azure Active Directory) and doesn't require access to the Active Directory Federation Services (AD FS). It has been assessed as a moderate-severity threat to organizations.

这种最新方法是对Golden SAML的变种，适用于像Microsoft Entra ID（原Azure Active Directory）这样的身份提供者（IdP），不需要访问Active Directory联合服务（AD FS）。它被评估为对组织构成中度威胁。

"Within Entra ID, Microsoft provides a self-signed certificate for SAML response signing," the researchers said. "Alternatively, organizations can choose to use an externally generated certificate such as those from Okta. However, that option introduces a security risk."

"在Entra ID中，Microsoft提供了用于SAML响应签名的自签名证书，"研究人员表示。"或者，组织可以选择使用外部生成的证书，例如来自Okta。但是，该选项会引入安全风险。"

"Any attacker that obtains the private key of an externally generated certificate can forge any SAML response they want and sign that response with the same private key that Entra ID holds. With this type of forged SAML response, the attacker can then access the application — as any user."

"任何获得外部生成证书私钥的攻击者都可以伪造任何他们想要的SAML响应，并使用Entra ID持有的相同私钥对该响应进行签名。通过这种类型的伪造SAML响应，攻击者可以访问应用程序 - 就像任何用户一样。"

Following responsible disclosure to Microsoft on January 2, 2024, the company said the issue does not meet its bar for immediate servicing, but noted it will take appropriate action as needed to safeguard customers.

在2024年1月2日向Microsoft进行负责任的披露后，该公司表示该问题不符合立即修复的标准，但指出将根据需要采取适当措施以保护客户。

While there is no evidence that Silver SAML has been exploited in the wild, organizations are required to use only Entra ID self-signed certificates for SAML signing purposes. Semperis has also made available a proof-of-concept (PoC) dubbed SilverSAMLForger to create custom SAML responses.

尽管没有证据表明Silver SAML已被野外利用，但组织必须仅使用Entra ID自签名证书进行SAML签名目的。Semperis还提供了一个名为SilverSAMLForger的概念验证（PoC），用于创建自定义SAML响应。

"Organizations can monitor Entra ID audit logs for changes to PreferredTokenSigningKeyThumbprint under ApplicationManagement," the researchers said.

"组织可以监视Entra ID审核日志，以检测ApplicationManagement中PreferredTokenSigningKeyThumbprint的更改，"研究人员表示。

"You will need to correlate those events to Add service principal credential events that relate to the service principal. The rotation of expired certificates is a common process, so you will need to determine whether the audit events are legitimate. Implementing change control processes to document the rotation can help to minimize confusion during rotation events."

"您需要将这些事件与与服务主体相关的Add service principal credential事件相关联。过期证书的轮换是一个常见过程，因此您需要确定审核事件是否合法。实施变更控制流程以记录轮换可以帮助减少轮换事件时的混乱。"

原文始发于微信公众号（知机安全）：新的Silver SAML攻击在身份系统中规避了Golden SAML的防御