What You Need to Know About Today's SAML Vulnerability Research

Today security researchers announced they found a vulnerability in some SAML implementations that threat actors could use to bypass primary authentication, potentially elevating permissions or impersonating privileged accounts. We were made aware of the vulnerability before the public disclosure and immediately patched it. Okta is not vulnerable, and we don't have any indication that the vulnerability was exploited in our systems.

Because of its potential to impact third-party applications in the Okta ecosystem, we wanted to share more background, the research and disclosure process, and the steps you can take to mitigate the risk of threat actors acting on this vulnerability.

How does this SAML vulnerability work?

Security Assertion Markup Language (SAML) is an XML-based markup language for security assertions regarding authentication and permissions. By modifying SAML content without invalidating the cryptographic signature, a remote, unauthenticated attacker may be able to bypass primary authentication for an affected SAML service provider. More simply, this means that if an attacker is able to create or successfully compromise an account, he or she could use this vulnerability to add comments to an attribute in order to get access to a privileged account, like an administrator account. Two examples:

1. By creating or compromising [email protected], an attacker could use non<comment>[email protected] to potentially get access to either "non" or [email protected] – the latter of which giving privileged access into an organization.
2. An attacker targeting SAML assertions that deal with groups could escalate privileges by performing the same type of attack as the userID, but through changing group membership at the time the service provider parses authentication.

While these are two examples, the threat actor could use any SAML attribute to exploit this vulnerability. It is important to note though that the threat actor must first obtain access to either a created or compromised account in order to exploit this vulnerability.

How did you find out about this?

Security research teams look for vulnerabilities in order to find – and patch – them before a threat actor can. They are a critical part of the security community, exploring a variety of technologies to catch problems before they can be exploited. Our own research team, Okta REX (Research and Exploitation), publishes research on our security blog. We also work with organizations like Bugcrowd to expand coverage of our internal attack team by adding a solid bench of diversity and breadth of capabilities.

In this case, another security research team found a vulnerability in a technology we leverage at Okta. Before they published the research, they worked with an organization called CERT as a part of their Responsible Disclosure process to notify us of the vulnerability so we could patch before the research was made public.

What did Okta do once notified?

After CERT reached out to notify us of the vulnerability, we immediately performed a thorough investigation and patched our system. Okta is not vulnerable to this, and we don't have any indication that the vulnerability was exploited in our systems.

As such, no actions need to be taken by our customers in their Okta deployment. However, our partners and customers do have a separate step to take in order to mitigate threats acting on this vulnerability in other applications.

What do I need to do?

Customers: Reach out to your service providers — such as those that provide SaaS applications — to make sure they have evaluated the vulnerability and if needed, taken the steps required on their end to mitigate threats acting on this vulnerability (including a template below as a reference). If applicable, you should also check your own custom SAML integrations to see if a patch needs to be applied.

Partners: Visit our dev blog for more technical details. Okta is also tracking which vendors have patched their systems. Once you have performed your own investigation and patched, reach out to [email protected].

We’ll also be keeping up-to-date information available here on our blog.

Ask Your Vendor Subject: SAML Vulnerability [XX],

The team at Okta made me aware of a vulnerability, which can impact some SAML implementations, according to CERT. You can find more about this vulnerability here.

Can you confirm whether this vulnerability impacts your application, and if so, your timeline for patching?

Thanks, [Your Name]