OneLogin AD Connector Cross-Tenant Log Leakage Vulnerability

A misconfiguration in the OneLogin Active Directory (AD) Connector allows log data to be sent to a hardcoded, unverified S3 bucket. An attacker who registers this unclaimed bucket can intercept log files from other OneLogin tenants, potentially leading to unauthorized access to sensitive information such as directory tokens, user metadata, and environment configurations. This cross-tenant data leakage could facilitate the recovery of JWT signing keys and enable user impersonation.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive log data from other OneLogin tenants, including directory tokens and user metadata. This could allow for the recovery of JWT signing keys and facilitate user impersonation within the OneLogin environment.

Reproduction

The vulnerability can be reproduced by registering an unclaimed S3 bucket and configuring the OneLogin AD Connector to send logs to this bucket. Once the bucket is registered and permissions are set to allow log writing, the AD Connector will begin sending logs from the OneLogin tenant to the registered bucket. These logs can then be accessed and used to impersonate users in the OneLogin environment.

Remediation

OneLogin has released a patch for this vulnerability in version 6.1.5 of the AD Connector. Customers are advised to upgrade to this version.