Information security specialists reported the finding of a severe vulnerability that resides in some single sign-on (SSO) services. According to the report, successful exploitation of these flaws would allow threat actors to fully compromise a computing environment, even those of large organizations.

It should be remembered that SSO technology is a very useful approach to authentication and identity management in IT systems, allowing individual and business users to keep strict control of access to corporate resources.

This technology has allowed organizations to lighten the workload in relation to password handling, preventing users from having to remember multiple keywords and reducing support team intervention by not having authentication issues.

About the vulnerability, NCC Group specialist Adam Roberts mentions that this is a flaw usually associated with Security Assertion Markup Language (SAML)-based SSO services. SAML is a standard for secure exchange of authentication and authorization data in different contexts. This solution integrates with Active Directory, a Microsoft directory service that is an ideal choice for deployment in enterprise environments.

This technology may be affected by deployment flaws that become an entry point for threat actors on affected systems: “The vulnerability would allow malicious hackers to modify SAML responses generated by the SSO system, resulting in leaking access data and privilege escalation scenarios in the compromised application” , the expert notes.

The expert mentions discovering that these SAML authentication responses could be modified using a technique known as SAML XML injection: “Threat actors can inject additional XML to change the structure of the SAML message,” Roberts says.

According to the report, depending on the location of the injection and the configuration of service providers, it might be possible to inject additional conditions or even inject completely new user names in an attempt to compromise the accounts of affected users. “You should be noted that the XML for SAML claims and responses is created before an encryption signature is applied, so signing the response is not functional protection against this attack variant,” the researcher says.

Roberts concluded by mentioning that the problem arose from a deployment error rather than a defect inherent in the SAML specification: “The problem seems to arise when developers create XML documents insecurely, including using string-based templates to create SAML response XML or misuse of an XML library,” he explained.