While single sign-on (SSO) technologies have matured significantly, some specific implementations still have security issues. Micro Focus Fortify security researchers revealed two vulnerabilities at Black Hat in Las Vegas this week that were fixed by Microsoft in July.
Web frameworks for authentication and authorization have come under intense scrutiny over the past three years. Underlying technologies, such as the Security Assertion Markup Language (SAML) and the Open Authorization (OAuth) specification, have matured.
But renewed interest in hacking web frameworks, and the lure of bug bounties, have led to a stark increase in the proportion of vulnerabilities focused on bypassing authentication, creating yet another identify and governance issue to fold into your best practices.
At Wednesday's Black Hat Security Briefings, researchers Alvaro Muñoz and Oleksandr Mirosh unveiled the details of two vulnerabilities in Microsoft's authentication technologies: One that could lead to a denial of service, and another that could allow an attacker to impersonate another user and escalate that user's privileges.
"[A SAML assertion] basically states who we are. So if we can change that and sign the whole assertion so it is still valid, we can become anyone. We can craft a token for any user."
—Alvaro Muñoz
Here's what went wrong, and what you can learn from it.
A growing problem
The issues are causing more researchers to focus on bypassing authentication. Between 2010 and 2016, only seven vulnerabilities reported in the National Vulnerability Database included the term "authentication bypass." In 2017, that number rocketed to 50. In 2018, some 85 vulnerabilities were reported, and 2019 is on track to log a similar number.
The vulnerability database shows similar trends for the core technologies of SAML and OAuth, with vulnerabilities more than tripling on average for issues in SAML and more than quadrupling on average for OAuth issues between 2010 and 2016.
Vulnerabilities are always going to happen, said Sean Frazier, advisory chief information security officer with Duo Security, a provider of authentication technology.
"The fact of the matter is that people will be able to break these things, so you need to have an expert on your side who is vigilant."
—Sean Frazier
[ Also see: How to get single sign-on right in today's hybrid IT environments ]
Manipulating SAML
Duo Security demonstrated the wisdom of that advice in 2018, when the company revealed a new class of vulnerabilities in SSO systems that could allow an attacker to manipulate the data included in a SAML assertion in such a way that the cryptographic signature would still be valid.
This class of vulnerabilities affected the authentication services of five different providers—Clever, Duo Security, OmniAuth, OneLogin, and Shibboleth—but the impact of the vulnerability varied widely depending on the platform. "The presence of this behavior is not great, but not always exploitable," Duo Security stated in an advisory.
Micro Focus Fortify's Muñoz said his team's vulnerability find was not about modifying the assertion in a way that the signature was still valid. They were able to completely modify it, or even create it from scratch, and provide a valid signature.
Older security issues with SSO
Correctly using web authentication and authorization infrastructure is tricky, but even integrating out-of-the-box SSO technologies has historically led to significant security issues.
In a 2014 paper presented at the USENIX Security Symposium, researchers from the University of Virginia probed the 20,000 most popular websites and found that 1,660 used SSO technology from Facebook. Of those sites, 20% had at least one vulnerability from five different classes for which the researchers could easily test.
"Developers often misunderstand integration requirements and make critical mistakes when integrating services such as single sign-on APIs," the researchers stated in the paper.
Microsoft's newer SSO hitches
The issues announced at this year's Black Hat Security Briefings could allow an attacker to lock up a .NET service or impersonate another user. The security researchers—Muñoz and Mirosh—used the vulnerabilities to successfully demonstrate attacks against Microsoft SharePoint and Exchange server.
The most significant vulnerability announced by the pair affects Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), two Microsoft frameworks for creating web applications and services, and authenticating users. The "Dupe Key Confusion" vulnerability (CVE-2019-1006) allows an attacker to insert a signature into SAML tokens using arbitrary attacker-generated keys, Muñoz said.
"The same key information section is processed twice, and that is a problem. Normally you will only find one element because you're signing the document with one key, but the standard allows you to provide multiple keys because there might be other use cases, such as key rotation, when more than one key is needed."
—Alvaro Muñoz
He stressed that this was not very usual, however, and therefore libraries and frameworks may not support multiple keys in a consistent way.
The second vulnerability (CVE-2019-1083) is dubbed "Arbitrary Constructor Invocation." It involves invoking a constructor method that does not take arguments to create a new instance of a cryptographic object, where some data is controlled by the attacker.
The researchers found that any public parameterless constructor can be executed. And, depending on the server configuration, the attack could cause a denial of service, information leakage, or, in a limited number of cases‚ arbitrary code execution.
"It's limited because the attacker would have to upload a DLL to the server," Muñoz said. This limitation is only for the RCE vector, however.
The fixes are in
The researchers reported the vulnerabilities to Microsoft, and the company fixed the issues during its regularly scheduled July 9 update. The denial-of-service issue affects Microsoft .NET framework version 2.0 all the way to version 4.8, according to Microsoft. The more serious vulnerability, Dupe Key Confusion, affects those platforms as well as Microsoft SharePoint, Windows 7, 8, 10, and RT, and Windows Server 2008, 2012, 2016, and 2019.
Microsoft SharePoint administrators need to update not only that software, but also the IdentityModel.dll from Microsoft, the company said.
Be careful out there
The vulnerabilities underscore that authentication and authorization frameworks are complex and their security relies on the quality of the implementation, Muñoz said. Companies should keep abreast of the latest changes and updates in their implementation of choice.
"Each company has different requirements, and there are many details that can make you choose one implementation or the other. I don't want to be pessimistic—the bugs are in the implementation and not in the protocol. Because we are finding these bugs, there are less bugs to be found, and therefore the implementations are becoming more secure."
—Alvaro Muñoz
Muñoz and Mirosh presented their findings on Wednesday at Black Hat: "SSO Wars: The Token Menace." They will also be speaking about the disclosure at Def Con on August 10.
