Can you explain this vulnerability to me?

This vulnerability in OneLogin AD Connector versions prior to 6.1.5 allows an attacker with access to a valid directory_token to retrieve sensitive credentials via the /api/adc/v4/configuration endpoint. These credentials include an API key, AWS IAM access and secret keys, and a base64-encoded JWT signing key used for the tenant's SSO IdP configuration. With these credentials, an attacker can impersonate any user in the OneLogin tenant by generating valid JWT tokens, potentially gaining unauthorized access to all federated applications and services. The vulnerability arises from exposed sensitive information through API endpoints and improperly secured tokens or logs. [3]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to severe impacts including unauthorized disclosure of sensitive credentials, impersonation of any user within a OneLogin tenant, and full compromise of accounts and access to all applications federated through OneLogin. Attackers can exploit leaked AWS credentials to access misconfigured S3 buckets containing sensitive customer data. Ultimately, this can result in account compromise, data leakage, and unauthorized access to critical systems and services. [3]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection involves checking for unauthorized access or use of the /api/adc/v4/configuration endpoint with a valid directory_token. You can monitor network traffic for requests to this endpoint and inspect logs for access to sensitive API keys or AWS credentials. Additionally, check the host for presence of directory_token in registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\OneLogin, Inc\Active Directory Connector and review logs in C:\ProgramData\OneLogin, Inc\logs\. Commands to assist detection may include: 1) Using curl or similar tools to test access to the endpoint with known tokens (if authorized) to verify exposure, e.g., curl -H "Authorization: Bearer <directory_token>" https://api.onelogin.com/api/adc/v4/configuration 2) Using PowerShell to query registry keys: Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\OneLogin, Inc\Active Directory Connector" 3) Monitoring network traffic with tools like tcpdump or Wireshark filtering for traffic to api.onelogin.com and specifically the /api/adc/v4/configuration endpoint. 4) Searching logs for exposure of API keys or AWS credentials. These steps help identify if the vulnerability is being exploited or if sensitive credentials are exposed on your system. [3]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: 1) Upgrade the OneLogin AD Connector to version 6.1.5 or later, which contains patches addressing this vulnerability. 2) Rotate all exposed credentials, including API keys, AWS IAM access and secret keys, and JWT signing keys to prevent misuse of leaked credentials. 3) Restrict network access to the OneLogin AD Connector API endpoints, ensuring only authorized hosts can communicate with them. 4) Secure and audit logs and registry keys to prevent unauthorized access to directory_tokens or other sensitive data. 5) Implement strict network segmentation and access controls treating OneLogin identity federation components as Tier 0 assets. 6) Review and correct any misconfigured AWS S3 bucket permissions to prevent data leakage. These steps will reduce the risk of credential exposure and unauthorized access. [2, 3]

Useful 0 Not Useful 0