=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN321
_____________________________________________________________________

DATE                      : 03/09/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running SAML Single Sign-On (SSO)
                                         Service for Google Apps.

======================================================================
http://www.kb.cert.org/vuls/id/612636
______________________________________________________________________

Vulnerability Note VU#612636

Google SAML Single Sign on vulnerability


Overview

The SAML Single Sign-On (SSO) Service for Google Apps contained a
vulnerability that could have allowed an attacker to gain access to a
user's Google account.


I. Description

The Security Assertion Markup Language (SAML) is a standard for
transmittig authentication data between two or more security domains. In
SAML language, XML security packets are called assertions. Identity
providers pass assertions to service providers who allow or refuse the
the authentication requests. In the Google Single Sign on (SSO)
implementation, the authentication response did not include the
identifier of the authentication request or the identity of the
recipient. This may allow a malicious service provider to impersonate a
user at other service providers.

More technical information about this issue is available in the Formal
Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based
Single Sign-On for Google Apps whitepaper which is available here:
http://www.ai-lab.it/armando/pub/fmse9-armando.pdf

Note that to exploit this vulnerability, the attacker would have to
convince the user to login to their site.


II. Impact

A malicious service provider might have been able to access a user's
Google Account or other services offered by different identity
providers.


III. Solution

Google has addressed this issue by changing the behavior of their SSO
implemenation. Administrators and developers were required to update
their identity provider to provide a valid recipient field in their
assertions.


Do not log into untrusted sites

To mitigate future vulnerabilities, users should use caution when
providing their Google Account credentials to log into third party
service providers.


Systems Affected

Vendor	Status	Date Updated
Google	Vulnerable	2-Sep-2008


References

http://www.ai-lab.it/armando/pub/fmse9-armando.pdf
http://code.google.com/apis/apps/sso/saml_reference_implementation.html
http://www.ibm.com/developerworks/xml/library/x-samlmyth.html
http://en.wikipedia.org/wiki/Saml


Credit

Thanks to Alessandro Armando for reporting this issue and to Google for 
providing technical information and feedback.

This document was written by Ryan Giobbi.


Other Information
Date Public	06/13/2008
Date First Published	09/02/2008 08:13:18 AM
Date Last Updated	09/02/2008
CERT Advisory	
CVE-ID(s)	
NVD-ID(s)	
US-CERT Technical Alerts	
Metric	2.10
Document Revision	16

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================