Multiple SAML libraries flaws allow hackers to bypass authentication to SAML service providers
Unified authentication mechanism SSO SAML recently disclosed security bypass vulnerability, SAML, and OAuth, OpenID, CAS par. An attacker using the SAML vulnerability can verify his account without having to know the victim’s password. The vulnerability is associated with 6 CVE IDs and currently affects 5 vendors. US-CERT issued a warning notice.
The vulnerability affects SAML (Secure Assertion Markup Language), an XML-based markup language commonly used to exchange authentication and authorization data between parties.
SAML has the single most important use of single sign-on (SSO) solutions, which allows users to log in to a single identity account. Unlike other shared authentication schemes such as OAuth, OpenID, OpenID Connect, and Facebook Connect-SSO, it stores the user’s identity on the central server where the user owns the account.
When users try to log in to other enterprise applications, these applications (Service Providers – SPs) make requests to the local SSO server (Identity Provider – IdP) through SAML.
In a report released later today, researchers at Duo Labs uncovered a design flaw that affected various SSO software and a few open-source libraries designed to support SAML-based SSO operations.
The pitfalls are how these libraries handle XML annotations inserted in SAML response requests. For example, researchers have noticed that if an attacker inserts a comment in the username field in a way that destroys the username, an attacker may gain access to the legitimate user’s account.
The following CVEs are assigned:
CVE-2017-11427 – OneLogin’s “python-saml”
CVE-2017-11428 – OneLogin’s “ruby-saml”
CVE-2017-11429 – Clever’s “saml2-js”
CVE-2017-11430 – “OmniAuth-SAML”
CVE-2018-0489 – Shibboleth openSAML C++
Apply updatesAffected SAML service providers should update software to utilize the latest releases of affected SAML libraries. Please see the vendor list below for more information.
Vendor Information (Learn More)
Vendor Status Date Notified Date Updated Clever, Inc. Affected 24 Jan 2018 26 Feb 2018 Duo Security Affected – 22 Feb 2018 OmniAuth Affected 24 Jan 2018 06 Feb 2018 OneLogin Inc Affected 24 Jan 2018 27 Feb 2018 Shibboleth Consortium Affected 24 Jan 2018 06 Feb 2018 AssureBridge Not Affected – 27 Feb 2018 Okta Inc. Not Affected 29 Jan 2018 27 Feb 2018 Box Unknown 23 Feb 2018 23 Feb 2018 Cisco Unknown 23 Feb 2018 23 Feb 2018 Danish e-Infrastructure Cooperation (WAYF) Unknown 24 Jan 2018 24 Jan 2018 Entr’ouvert Unknown 24 Jan 2018 24 Jan 2018 GitHub Unknown 24 Jan 2018 24 Jan 2018 Unknown 23 Feb 2018 23 Feb 2018 Microsoft Unknown 23 Feb 2018 23 Feb 2018 Pivotal Software, Inc. Unknown 24 Jan 2018 24 Jan 2018