A severe vulnerability in the way Microsoft Office 365 handles federated identities via SAML put an attacker in position to have access to any account and data, including email messages and files stored in the cloud-based service.
Microsoft pushed through a mitigation to the service on Jan. 5, seven hours after being notified by researchers Yiannis Kakavas and Klemen Bratec.
“The attack surface was quite big (Outlook Online, OneDrive, Skype for Business, OneNote – depending on what the company has paid for in terms of licensing ),” Kakavas and Bratec told Threatpost via email. “And a malicious user exploiting this vulnerability could have gained access to very sensitive private and company information. (emails, internal documents etc. ).”
Office 365 users in the line of fire that had configured domains as federated were extensive, worldwide and high profile, ranging from British Airways, Microsoft, Vodafone, Verizon and many others listed in a report published this week.
Kakavas, of the Greek Research and Technology Network, and Bratec of the Sola prihodnosti Maribor, identified the vulnerability in the SAML Service Provider implementation in Office 365. The flaw allowed for a “cross-domain authentication bypass affecting all federated domains,” the researchers wrote. SAML is the Security Assertion Markup Language, a standard used by organizations to exchange authentication and authorization data. SAML is used primarily as a means of enabling single sign-on between web domains.
The problem with Microsoft’s implementation of SAML 2.0 in Office 365 is that the service fails to authenticate that the subject of the assertion being passed—specifically the NameID element. The exchange must then rely on other values such as an IDPEmail attribute to validate the exchange.
“As it turns out, the Service Provider used the Issuer of the Assertion only to find the mathing certificate in order to verify the SAML Response/Assertion signature, but didn’t perform any sanity checks on the supplied value of the IDPEmail attribute,” the researchers wrote. “That basically means that it would happily consume assertions, asserting that Identity Provider X has authenticated users of Identity Provider Y.”
The researchers describe the technical details in their report. They told Threatpost that the flaw was relatively easy to exploit, but added there is not indication the flaw had ever been publicly exploited, nor how long it was present in Office 365 before it was found.
“All an attacker needed was a trial subscription to Office 365 and a SAML 2.0 Identity Provider installation. There is some bare minimum of SAML knowledge once must have, but the process of setting up SAML SSO with Office 365 is well documented and easy to follow,” the researchers said. “A more advanced attacker with slightly better SAML knowledge would be able to script a tool and perform the attack in an automated manner without the need of a SAML 2.0 Identity Provider.”
The researchers said the flaw is not limited to SAML-based single sign-on implementations; they were able to carry out the same attack over Active Directory Federation Services.
“The SAML Service Provider consumed the SAML assertion from the attacker’s org Identity Provider even though the spmb.si domain is configured to be federated with WS-Trust, forwarded it to the token translation service which translated it to an WS-Trust token and … we were in,” they wrote.
They told Threatpost: “We were surprised that the organizations that have their domains federated using WS-Trust and ADFS were also vulnerable to this. We know that pretty much only academic institutions use SAML 2.0 SSO, so in the beginning the number of vulnerable organizations seemed to be relatively small.”
The two said they were awarded close to the maximum bounty from Microsoft for their research; the bounty pays between $500 and $15,000 USD.