{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/saml/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["sentry","Sentry SaaS"],"_cs_severities":["medium"],"_cs_tags":["authentication","saml","sso","account takeover","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Sentry"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-42354, has been identified in the SAML Single Sign-On (SSO) implementation of Sentry, potentially allowing an attacker to compromise user accounts. This vulnerability stems from improper authentication during the SAML SSO process, leading to the possibility of user identity linking. The vulnerability affects Sentry versions 21.12.0 up to and including 26.4.0. To exploit this vulnerability, an attacker requires a malicious SAML Identity Provider and access to another organization within the same Sentry instance, coupled with knowledge of the victim\u0026rsquo;s email address. This attack vector poses a significant risk to self-hosted Sentry instances that are configured with multiple organizations (SENTRY_SINGLE_ORGANIZATION = False), where a malicious user possesses the necessary permissions to modify SSO settings for a different organization. Sentry SaaS has already been patched in April.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to a Sentry instance that has multiple organizations configured.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains permissions to modify the SAML SSO settings of at least one organization within the Sentry instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SAML Identity Provider (IdP) designed to inject or manipulate user identity attributes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the malicious SAML IdP to initiate a single sign-on (SSO) process to a Sentry organization they control.\u003c/li\u003e\n\u003cli\u003eThe attacker provides the email address of the targeted victim, linking the victim\u0026rsquo;s identity in the Sentry instance to the malicious SAML IdP.\u003c/li\u003e\n\u003cli\u003eThe victim attempts to log in to their Sentry account through SAML SSO.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, Sentry incorrectly authenticates the victim based on the attributes provided by the attacker\u0026rsquo;s malicious SAML IdP.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully takes over the victim\u0026rsquo;s account, gaining access to sensitive data and functionalities associated with the victim\u0026rsquo;s privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete account takeover, resulting in unauthorized access to sensitive project data, configuration settings, and potentially even administrative privileges within the Sentry instance. This poses a substantial risk to organizations using vulnerable Sentry versions, as attackers could exfiltrate sensitive information, modify configurations, or disrupt services. The impact is particularly severe for self-hosted Sentry instances with multiple organizations, where a single compromised account could lead to broader access across the entire platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade self-hosted Sentry instances to version 26.4.1 or higher to patch CVE-2026-42354.\u003c/li\u003e\n\u003cli\u003eEnable user account-based two-factor authentication (2FA) for all Sentry accounts as a preventative measure, as mentioned in the Workarounds section.\u003c/li\u003e\n\u003cli\u003eMonitor Sentry audit logs for any unauthorized changes to SAML SSO configurations, particularly within multi-organization setups, to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and restrict permissions for modifying SSO settings across all organizations to minimize the attack surface, as described in the Overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T20:45:20Z","date_published":"2026-04-30T20:45:20Z","id":"/briefs/2026-05-sentry-saml-takeover/","summary":"A critical vulnerability (CVE-2026-42354) exists in Sentry's SAML SSO implementation that allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance, affecting self-hosted users with multiple organizations configured if a malicious user has permissions to modify SSO settings, while Sentry SaaS was patched in April and self-hosted users are advised to upgrade to version 26.4.1 or higher.","title":"Sentry SAML SSO Improper Authentication Allows User Identity Linking","url":"https://feed.craftedsignal.io/briefs/2026-05-sentry-saml-takeover/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["admidio"],"_cs_severities":["medium"],"_cs_tags":["saml","signature-bypass","authentication","authorization","web-application"],"_cs_type":"advisory","_cs_vendors":["admidio"],"content_html":"\u003cp\u003eAdmidio, a free web-based content management system for organizations and groups, contains a critical vulnerability in its SAML Single Sign-On (SSO) implementation. The \u003ccode\u003evalidateSignature()\u003c/code\u003e method within the SAMLService class returns error strings upon signature validation failure, rather than throwing exceptions. The calling functions, \u003ccode\u003ehandleSSORequest()\u003c/code\u003e and \u003ccode\u003ehandleSLORequest()\u003c/code\u003e, incorrectly assume that the method throws an exception, and therefore, do not check the return value. This oversight renders the \u003ccode\u003esmc_require_auth_signed\u003c/code\u003e configuration option ineffective, allowing attackers to forge SAML AuthnRequests and LogoutRequests. An attacker can exploit this vulnerability to obtain sensitive user information or cause denial of service by terminating user sessions. This affects Admidio versions 5.0.8 and earlier and requires SAML SSO to be enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious SAML AuthnRequest or LogoutRequest without a valid signature, impersonating a legitimate Service Provider (SP).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the forged SAML request to the Admidio instance via HTTP GET or POST to \u003ccode\u003emodules/sso/index.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereceiveMessage()\u003c/code\u003e function parses the SAML binding directly from the HTTP request, requiring no prior authentication.\u003c/li\u003e\n\u003cli\u003eThe Entity ID is extracted from the forged request\u0026rsquo;s Issuer element, and the corresponding client configuration is loaded.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evalidateSignature()\u003c/code\u003e function is called, but its return value (indicating signature validity) is discarded.\u003c/li\u003e\n\u003cli\u003eFor AuthnRequests, if the targeted user has an active session (\u003ccode\u003e$gValidLogin\u003c/code\u003e is true), the login form is skipped.\u003c/li\u003e\n\u003cli\u003eAdmidio builds a SAML Response containing the user\u0026rsquo;s attributes (login, name, email, roles) and sends it to the attacker-controlled \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFor LogoutRequests, the user\u0026rsquo;s session is immediately terminated in the database, triggering a cascading single logout across all registered SPs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to several critical impacts. The primary impact is the complete bypass of signature enforcement, negating the security benefits of the \u003ccode\u003esmc_require_auth_signed\u003c/code\u003e setting. This can lead to the disclosure of sensitive user attributes, including login name, email, and role memberships, to unauthorized parties by forging SSO requests and redirecting them to attacker-controlled endpoints. Furthermore, attackers can terminate any user\u0026rsquo;s Admidio session by forging SLO requests, potentially causing a denial-of-service condition. This vulnerability affects all Admidio instances with SAML SSO enabled and can potentially impact all users of the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix in the Admidio codebase to check the return value of \u003ccode\u003evalidateSignature()\u003c/code\u003e and throw an exception on failure, as outlined in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-25cw-98hg-g3cg)\"\u003ehttps://github.com/advisories/GHSA-25cw-98hg-g3cg)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Admidio Forged SAML AuthnRequest Detection\u0026rdquo; to detect potentially malicious SAML AuthnRequests lacking a valid signature via webserver logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Admidio Forged SAML LogoutRequest Detection\u0026rdquo; to detect potentially malicious SAML LogoutRequests lacking a valid signature via webserver logs.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for requests to \u003ccode\u003e/adm_program/modules/sso/index.php/saml/sso\u003c/code\u003e and \u003ccode\u003e/adm_program/modules/sso/index.php/saml/slo\u003c/code\u003e without proper signature validation to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Admidio to address CVE-2026-41669.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:56:13Z","date_published":"2026-04-29T21:56:13Z","id":"/briefs/2026-04-admidio-saml-bypass/","summary":"Admidio's SAML Identity Provider implementation fails to properly validate signatures on SAML AuthnRequests and LogoutRequests, enabling attackers to bypass signature enforcement, potentially disclose user attributes via forged SSO requests, and terminate user sessions via forged SLO requests.","title":"Admidio SAML Signature Validation Bypass Allows Forged AuthnRequests and LogoutRequests","url":"https://feed.craftedsignal.io/briefs/2026-04-admidio-saml-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-27197"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sentry","saml","sso","authentication","account-takeover"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability (CVE-2026-27197) has been identified in the SAML Single Sign-On (SSO) implementation within Sentry, a popular error tracking and performance monitoring platform. This vulnerability allows a malicious actor to potentially take over user accounts by leveraging a rogue SAML Identity Provider (IdP) in conjunction with another organization configured within the same Sentry instance. The attacker needs to know the victim\u0026rsquo;s email address for successful exploitation. This flaw primarily impacts self-hosted Sentry deployments with multiple organizations enabled (SENTRY_SINGLE_ORGANIZATION = False) and where a malicious user possesses the ability to modify SSO settings for another organization. Sentry SaaS was patched on February 18, 2026. Self-hosted users should upgrade to version 26.2.0 or later to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to a Sentry instance that hosts multiple organizations. This could be through compromised credentials or other initial access vectors.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target user\u0026rsquo;s email address within the Sentry instance.\u003c/li\u003e\n\u003cli\u003eThe attacker gains permissions to modify SSO settings for an organization within the Sentry instance.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a malicious SAML Identity Provider (IdP) for the organization they control. This IdP is designed to spoof user identities.\u003c/li\u003e\n\u003cli\u003eThe victim attempts to log in to Sentry via SAML SSO.\u003c/li\u003e\n\u003cli\u003eSentry redirects the victim to the attacker\u0026rsquo;s malicious SAML IdP for authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s malicious SAML IdP asserts the victim\u0026rsquo;s identity (using the known email address) to Sentry, but the assertion is illegitimate and controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eSentry, due to the vulnerability, improperly validates the SAML assertion, allowing the attacker to successfully authenticate as the victim and gain unauthorized access to their account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to completely take over a targeted user\u0026rsquo;s Sentry account. This grants the attacker the ability to access sensitive project data, modify configurations, invite/remove team members, and potentially disrupt the entire Sentry instance\u0026rsquo;s operations. The vulnerability affects Sentry versions 21.12.0 up to, but not including, 26.2.0. The number of potential victims depends on the number of vulnerable Sentry instances with multiple organizations configured and the attacker\u0026rsquo;s ability to modify SSO settings.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade self-hosted Sentry instances to version 26.2.0 or later to patch CVE-2026-27197.\u003c/li\u003e\n\u003cli\u003eEnable two-factor authentication (2FA) on all Sentry accounts. Users can manage this in Account Settings \u0026gt; Security, as mentioned in the \u003ca href=\"https://sentry.zendesk.com/hc/en-us/articles/46773315774235-How-do-I-enable-two-factor-authentication-2FA-on-my-Sentry-account\"\u003ehelpdesk article\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor Sentry logs for unusual SSO configuration changes, specifically modifications to SAML Identity Provider settings. Deploy a rule that detects modifications to the \u003ccode\u003eSENTRY_SINGLE_ORGANIZATION\u003c/code\u003e setting, as this is a prerequisite for exploitation.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious SAML Authentication\u003c/code\u003e to identify potential unauthorized SAML authentication attempts based on unusual IP addresses or user agents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-sentry-saml-sso-takeover/","summary":"A critical vulnerability in Sentry's SAML SSO implementation allows account takeover by exploiting improper authentication when multiple organizations are configured, affecting versions 21.12.0 to 26.2.0 and requiring a malicious SAML Identity Provider and knowledge of the victim's email address.","title":"Sentry SAML SSO Improper Authentication Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-sentry-saml-sso-takeover/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-34840"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-34840","saml","authentication-bypass","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOneUptime, an open-source monitoring and observability platform, is vulnerable to an authentication bypass in versions prior to 10.0.42. The vulnerability, identified as CVE-2026-34840, resides in the SAML Single Sign-On (SSO) implementation within the \u003ccode\u003eApp/FeatureSet/Identity/Utils/SSO.ts\u003c/code\u003e file. The flawed logic involves a decoupling of signature verification and identity extraction processes. Specifically, the \u003ccode\u003eisSignatureValid()\u003c/code\u003e function checks the signature of the first \u003ccode\u003e\u0026lt;Signature\u0026gt;\u003c/code\u003e element, while the \u003ccode\u003egetEmail()\u003c/code\u003e function extracts the email address from the first assertion element \u003ccode\u003eassertion[0]\u003c/code\u003e. This design allows an attacker to prepend a malicious, unsigned SAML assertion containing an arbitrary identity before a legitimate, signed assertion. This bypasses authentication, potentially granting unauthorized access to sensitive monitoring data and platform functionalities. The vulnerability has been patched in version 10.0.42.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious SAML response containing an unsigned assertion with a forged identity (e.g., a privileged user\u0026rsquo;s email).\u003c/li\u003e\n\u003cli\u003eThe attacker prepends this malicious assertion to a valid, signed SAML assertion generated for a low-privilege account or a newly created account.\u003c/li\u003e\n\u003cli\u003eThe combined SAML response is sent to the OneUptime platform for authentication.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eisSignatureValid()\u003c/code\u003e function verifies the signature of the second assertion (the originally signed, valid one), passing the signature check.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egetEmail()\u003c/code\u003e function extracts the email address from the first assertion (the malicious, unsigned one), effectively impersonating the forged identity.\u003c/li\u003e\n\u003cli\u003eOneUptime grants access based on the forged identity extracted from the malicious assertion.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the OneUptime platform with the privileges of the impersonated user.\u003c/li\u003e\n\u003cli\u003eThe attacker can then view monitoring data, modify configurations, or perform other actions allowed to the compromised account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34840 allows an attacker to bypass authentication and impersonate any user on the OneUptime platform. This could lead to unauthorized access to sensitive monitoring data, modification of system configurations, and potentially complete compromise of the OneUptime instance. The vulnerability has a CVSS v3.1 base score of 8.1, indicating a high severity. Organizations using vulnerable OneUptime versions are at risk of significant data breaches and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade OneUptime instances to version 10.0.42 or later to patch CVE-2026-34840.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to inspect SAML responses for multiple assertions and reject requests containing more than one assertion to prevent the attack described in the attack chain.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious SAML authentication requests and responses, focusing on unusual source IPs or deviations from normal authentication patterns related to the webserver log source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T20:16:28Z","date_published":"2026-04-02T20:16:28Z","id":"/briefs/2024-01-oneuptime-auth-bypass/","summary":"OneUptime versions prior to 10.0.42 are vulnerable to an authentication bypass due to improper SAML signature validation, allowing attackers to impersonate users by prepending unsigned assertions.","title":"OneUptime SAML SSO Authentication Bypass Vulnerability (CVE-2026-34840)","url":"https://feed.craftedsignal.io/briefs/2024-01-oneuptime-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["aws","cloudtrail","saml","iam","deletion","impact"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe deletion of a SAML provider in AWS can be a significant indicator of malicious activity. An attacker who has gained initial access to an AWS environment may attempt to remove the SAML provider used by the information security team or system administrators. This action can severely impede the team\u0026rsquo;s ability to investigate and respond to ongoing attacks. By disrupting access, the attacker gains a window of opportunity to further escalate privileges, move laterally within the environment, and achieve their objectives without immediate detection or intervention. This activity directly impacts the availability and integrity of resources within the AWS cloud environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained to an AWS account through compromised credentials or other means (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing IAM resources, including SAML providers, using AWS CLI or API calls.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the SAML provider used by administrative or security teams.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eDeleteSAMLProvider\u003c/code\u003e API call via the AWS CLI, API, or AWS Management Console (T1531).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDeleteSAMLProvider\u003c/code\u003e event is logged in AWS CloudTrail with a \u0026ldquo;success\u0026rdquo; status.\u003c/li\u003e\n\u003cli\u003eAdministrative and security teams lose access to AWS resources that require SAML authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised account to escalate privileges, create new IAM users, or modify existing policies.\u003c/li\u003e\n\u003cli\u003eThe attacker persists in the environment, potentially exfiltrating data or deploying malicious workloads (T1485).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of an AWS SAML provider can have serious consequences. It disrupts access for administrators and security personnel, delaying incident response and potentially allowing attackers to further compromise the environment. This can lead to data breaches, service disruptions, and financial losses. The severity of the impact depends on the criticality of the affected AWS resources and the speed of detection and recovery.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS SAML Provider Deletion Activity\u0026rdquo; to your SIEM and tune for your environment to detect this specific event.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eDeleteSAMLProvider\u003c/code\u003e events in AWS CloudTrail, focusing on the user identity, user agent, and source IP address (logsource: aws/cloudtrail).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all IAM users, especially those with administrative privileges, to reduce the risk of credential compromise (T1110).\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege for all IAM roles and users to limit the impact of compromised credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-12-19T00:00:00Z","date_published":"2024-12-19T00:00:00Z","id":"/briefs/2024-12-19-aws-saml-provider-deletion/","summary":"An adversary may delete an AWS SAML provider to disrupt administrative access, hindering incident response and potentially escalating privileges within the AWS environment.","title":"AWS SAML Provider Deletion Activity","url":"https://feed.craftedsignal.io/briefs/2024-12-19-aws-saml-provider-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["admidio"],"_cs_severities":["medium"],"_cs_tags":["saml","sso","acs-bypass","admidio","cve-2026-41670"],"_cs_type":"advisory","_cs_vendors":["admidio"],"content_html":"\u003cp\u003eA vulnerability exists in Admidio\u0026rsquo;s SAML IdP implementation within the SSO module (versions 5.0.8 and earlier) that allows for bypassing Assertion Consumer Service (ACS) URL validation. The IdP uses the \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e value directly from incoming SAML AuthnRequest messages as the destination for the SAML response without verifying it against the registered \u003ccode\u003esmc_acs_url\u003c/code\u003e for the corresponding service provider client. An attacker can exploit this by crafting a SAML AuthnRequest with the Entity ID of a registered SP client and an attacker-controlled \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e. This causes the IdP to send the signed SAML response, containing sensitive user identity attributes (login name, email, roles, profile fields), to a URL controlled by the attacker. The default configuration does not require signed AuthnRequests, simplifying exploitation to only needing the SP\u0026rsquo;s Entity ID.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies the Entity ID of a registered SAML service provider (SP) client within the Admidio IdP. This is often publicly available from the SP\u0026rsquo;s metadata endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SAML AuthnRequest. The AuthnRequest includes the legitimate SP Entity ID as the Issuer, but sets the \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e to a URL controlled by the attacker (e.g., \u003ccode\u003ehttps://attacker.test/steal-saml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted SAML AuthnRequest to Admidio\u0026rsquo;s SSO endpoint (\u003ccode\u003e/modules/sso/index.php/saml/sso\u003c/code\u003e) using the HTTP-POST binding, typically by tricking a logged-in user into accessing a webpage containing an auto-submitting form.\u003c/li\u003e\n\u003cli\u003eAdmidio\u0026rsquo;s SSO module receives the AuthnRequest. If signature validation is not enforced for the SP, the request proceeds without signature verification.\u003c/li\u003e\n\u003cli\u003eIf the user is already authenticated with the Admidio IdP, the IdP generates a signed SAML response containing the user\u0026rsquo;s identity and attributes. The destination of the SAML response is set to the attacker-controlled \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e taken directly from the AuthnRequest.\u003c/li\u003e\n\u003cli\u003eAdmidio renders an auto-submitting HTML form in the victim\u0026rsquo;s browser, which POSTs the signed SAML response to the attacker\u0026rsquo;s URL (\u003ccode\u003ehttps://attacker.test/steal-saml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server receives the SAML response, extracting the user\u0026rsquo;s login name, email, full name, roles, and any other profile fields included in the assertion.\u003c/li\u003e\n\u003cli\u003eThe attacker replays the stolen SAML assertion to the legitimate SP to authenticate as the victim, gaining unauthorized access to the SP application and its resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to steal user identities and impersonate victims on legitimate service provider applications. This leads to unauthorized access to user accounts and potential access to sensitive data and resources within those applications. The scope change enables impersonation across separate service provider applications. The vulnerability is exploitable without requiring knowledge of cryptographic keys if \u003ccode\u003esmc_require_auth_signed\u003c/code\u003e is not enabled, making it easier to exploit. All versions of Admidio up to and including 5.0.8 are affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch described in GHSA-p9w9-87c8-m235 by upgrading to a version of Admidio greater than 5.0.8.\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, enable \u003ccode\u003esmc_require_auth_signed\u003c/code\u003e and \u003ccode\u003esmc_validate_signatures\u003c/code\u003e for all SAML clients to enforce signature validation, mitigating attacks from unauthenticated sources.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the Admidio SSO endpoint (\u003ccode\u003e/modules/sso/index.php/saml/sso\u003c/code\u003e) with suspicious \u003ccode\u003eSAMLRequest\u003c/code\u003e parameters containing attacker-controlled \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e values, which can be detected using the \u0026ldquo;Admidio SAML AuthnRequest ACS URL Override\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to attacker-controlled URLs, such as \u003ccode\u003ehttps://attacker.test/steal-saml\u003c/code\u003e, which may indicate successful exploitation and the exfiltration of SAML responses as listed in the IOC table.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-admidio-saml-acs-bypass/","summary":"Admidio's SAML IdP implementation in its SSO module is vulnerable to sending SAML responses to unvalidated Assertion Consumer Service URLs, allowing an attacker to craft a SAML AuthnRequest with an arbitrary AssertionConsumerServiceURL, causing the IdP to send the signed SAML response, containing user identity attributes, to an attacker-controlled URL, enabling impersonation of the victim user on the legitimate SP by replaying the SAML assertion.","title":"Admidio SAML Assertion Consumer Service (ACS) URL Validation Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-29-admidio-saml-acs-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IAM","AWS STS"],"_cs_severities":["medium"],"_cs_tags":["aws","saml","cloudtrail","initial-access","lateral-movement","persistence","privilege-escalation","stealth"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection identifies potentially malicious Security Assertion Markup Language (SAML) activity within Amazon Web Services (AWS). The activity includes monitoring for \u003ccode\u003eAssumeRoleWithSAML\u003c/code\u003e and \u003ccode\u003eUpdateSAMLProvider\u003c/code\u003e events. An adversary might exploit SAML to gain unauthorized access, escalate privileges, move laterally within the AWS environment, or establish persistent backdoor access. The focus is on detecting unusual or unauthorized modifications to SAML configurations and role assumptions, which could indicate a compromised identity provider or malicious actor leveraging SAML for illicit purposes. Defenders should prioritize monitoring SAML-related API calls to identify and mitigate potential threats early in the attack chain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises or creates a malicious SAML identity provider.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the AWS environment to trust the malicious SAML provider using \u003ccode\u003eUpdateSAMLProvider\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a SAML assertion to assume a specific role within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eAssumeRoleWithSAML\u003c/code\u003e API call to authenticate with AWS using the crafted SAML assertion.\u003c/li\u003e\n\u003cli\u003eAWS STS validates the SAML assertion and, if valid, provides temporary credentials for the assumed role.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the temporary credentials to perform actions within AWS, potentially escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the AWS environment, accessing resources and services authorized for the assumed role.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistent access by creating backdoors or modifying existing IAM policies, leveraging the initially gained access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via SAML manipulation can lead to a complete compromise of the AWS environment. Attackers can gain unauthorized access to sensitive data, disrupt critical services, and deploy malicious infrastructure. The impact includes potential data breaches, financial losses, and reputational damage. The number of affected resources depends on the permissions associated with the roles assumed by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule for \u003ccode\u003eAssumeRoleWithSAML\u003c/code\u003e events to detect suspicious role assumptions (see \u0026ldquo;AssumeRoleWithSAML Detection Rule\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for \u003ccode\u003eUpdateSAMLProvider\u003c/code\u003e events to detect unauthorized SAML provider modifications (see \u0026ldquo;UpdateSAMLProvider Detection Rule\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eAssumeRoleWithSAML\u003c/code\u003e events originating from unfamiliar user agents or IP addresses by reviewing CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eUpdateSAMLProvider\u003c/code\u003e events for unexpected changes to SAML provider configurations. Review associated CloudTrail logs for user identity, user agent, and hostname to ensure authorized access.\u003c/li\u003e\n\u003cli\u003eTune the provided Sigma rules for your environment, addressing false positives by exempting known, legitimate behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:30Z","date_published":"2024-01-03T18:22:30Z","id":"/briefs/2024-01-03-aws-suspicious-saml/","summary":"This rule identifies suspicious SAML activity in AWS, such as AssumeRoleWithSAML and UpdateSAMLProvider events, which could indicate an attacker gaining backdoor access, escalating privileges, or establishing persistence.","title":"Suspicious AWS SAML Activity Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-suspicious-saml/"}],"language":"en","title":"CraftedSignal Threat Feed — Saml","version":"https://jsonfeed.org/version/1.1"}