On February 27, 2018, Duo Security released a security advisory detailing a new vulnerability class affecting Security Assertion Markup Language (SAML) based single sign-on (SSO) systems. Due to the way that certain implementations parse SAML Responses, it may be possible for a user with authenticated access to authenticate as an alternate user without knowing their password. This discovery has resulted in numerous SAML libraries and solutions implementing the libraries to be exposed to privilege escalation attacks.
Zscaler has completed an assessment of all systems and has determined that Zscaler Internet Access (ZIA) is not vulnerable. Zscaler Private Access(ZPA) is potentially vulnerable in very specific circumstances. The ZPA enrollment service is not vulnerable and an attack could not therefore lead to a multi-tenancy attack whereby one user could gain access to the account of a user in a separate company. The ZPA vulnerability is limited to the broker service and is therefore restricted to a user potentially accessing the account of another user within the same company, but only for active directory groups/assertions whose identifier is a prefix of another active directory group/assertion owned by the attacker. Zscaler has already developed a patch to address this situation and will release it as soon as QA testing has been completed