Azure AD Flaw Allowed SAML Token Persistence
Published Wed, Jan 18th, 2023
Platforms
Summary
A vulnerability in Azure Active Directory allowed users to retain access to SAML applications after their assignment was removed. Attackers could exploit this to establish persistence and elevate privileges on targeted SAML applications. The flaw was triggered by chaining sign-in with additional application and specific parameters in the token request, bypassing user assignment verification.
Affected Services
Azure Active Directory
Remediation
None required. Microsoft has fixed the issue in Azure Active Directory.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
Thu, Aug 4th, 2022
Exploitability Period
Until 2022/10/25
Known ITW Exploitation
-
Detection Methods
Monitor for unexpected access to SAML applications, especially after user assignments have been removed. Review Azure AD application consents and permissions for suspicious configurations.
Piercing Index Rating
-
Discovered by
Secureworks Counter Threat Unit
