SAML: Privilege Escalation to SC_Admin by editing App Registration manifest
We currently allow clients to use our Connectwise Control to access their own computers. We have done this using internal accounts with custom roles that limit the machines they are able to see.
With the introduction of SAML and OAUTH they have begun asking if we can add their directories so they don't have to remember additional credentials to our system.
During the process of doing this, it became apparent that the roles these people receive are actually controlled by the approle "value" in the App Registration Manifest which is controlled by my client.
If they simply replace the role I want them to have with "SC_ADMIN", they become unfettered admins of my Control instance allowing them to take control of any machine in the system. I've already PoC'd this.
Other authentication sources are also likely vulnerable to this type of attack. If we were to connect LDAP to multiple Active Directories, all it would take is for someone to put themselves into a security group called "SC_ADMIN" and they would also be able to gain control.
My recommendation would be to add a field that limits the roles available to a given authentication source.
Which IdentityProvider have you integrated into ConnectWise Control for SAML?