search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal

Vulnerability Note VU#475445

Original Release Date: 2018-02-27 | Last Revised: 2018-06-05

Overview

Multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

Description

CWE-287: Improper Authentication

Security Assertion Markup Language (SAML) is an XML-based markup language for security assertions regarding authentication and permissions, most commonly used for single sign-on (SSO) services.

Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message.

A remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider

The following CVEs are assigned:

CVE-2017-11427 - OneLogin’s "python-saml"
CVE-2017-11428 - OneLogin’s "ruby-saml"
CVE-2017-11429 - Clever’s "saml2-js"
CVE-2017-11430 - "OmniAuth-SAML"
CVE-2018-0489 - Shibboleth openSAML C++
CVE-2018-5387 - Wizkunde SAMLBase

More information is available in the researcher's blog post.

Impact

By modifying SAML content without invalidating the cryptographic signature, a remote, unauthenticated attacker may be able to bypass primary authentication for an affected SAML service provider.

Solution

Apply updates

Affected SAML service providers should update software to utilize the latest releases of affected SAML libraries. Please see the vendor list below for more information.

Vendor Information

475445
Expand all

Clever, Inc.

Notified:  January 24, 2018 Updated:  February 26, 2018

Statement Date:   February 24, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Both versions 1.x and 2.x versions are affected. A patch is available for both versions.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Duo Security

Updated:  February 28, 2018

Statement Date:   December 19, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Duo Network Gateway (DNG) is affected and assigned CVE-2018-7340.

Vendor References

https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations https://duo.com/labs/psa/duo-psa-2017-003

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OmniAuth

Notified:  January 24, 2018 Updated:  February 06, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OneLogin Inc

Notified:  January 24, 2018 Updated:  February 27, 2018

Statement Date:   February 27, 2018

Status

  Affected

Vendor Statement

Refer to the vendor's official notice.

Vendor Information

Refer to the vendor's official notice.

Vendor References

https://support.onelogin.com/hc/en-us/articles/360001271891

Addendum

Specific patch commits:

ruby-saml https://github.com/onelogin/ruby-saml/releases/tag/v1.7.0
python-saml
https://github.com/onelogin/python-saml/releases/tag/v2.4.0
python3-saml
https://github.com/onelogin/python3-saml/releases/tag/v1.4.0

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Pulse Secure

Updated:  March 28, 2018

Status

  Affected

Vendor Statement


All Pulse Secure products were evaluated and the following products are known to be vulnerable by this issue:
    • All supported versions of Pulse Connect Secure with SAML authentication server configured as Service Provider
    • Pulse WorkSpace with SAML enabled
    • Pulse One with Enterprise (SAML) SSO enabled on the admin login
    • vTM 17.4 (Only) with a virtual server configured for SAML authentication.
For a list of supported software versions, please refer to our EOL policy. All other Pulse Secure products (not listed above) were determined as not vulnerable.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43667/

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Shibboleth Consortium

Notified:  January 24, 2018 Updated:  March 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://shibboleth.net/community/advisories/secadv_20180227.txt

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wizkunde B.V.

Updated:  April 05, 2018

Statement Date:   April 03, 2018

Status

  Affected

Vendor Statement

We've got notified about this bug on Monday 3-4-2018 and immediately took actions to fix the ability to exploit this at implementations of our library.

The patch is written in this commit:
https://github.com/Wizkunde/SAMLBase/commit/482cdf8c090e0f1179073034ebcb609ac7c3f5b3

Vendor Information

Wizkunde SAMLBase prior to version 1.2.7 is affected, the issue was addressed in version 1.2.7. CVE-2018-5387 has been assigned.

Vendor References

https://github.com/Wizkunde/SAMLBase/issues/3 https://github.com/Wizkunde/SAMLBase/commit/482cdf8c090e0f1179073034ebcb609ac7c3f5b3

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AssureBridge

Updated:  February 27, 2018

Statement Date:   February 27, 2018

Status

  Not Affected

Vendor Statement

We have tested against the vulnerability and determined that our SAML SSO product is not affected.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Box

Notified:  February 23, 2018 Updated:  February 28, 2018

Statement Date:   February 27, 2018

Status

  Not Affected

Vendor Statement

Box is not affected by VU#475445 and has provided guidance to customers on our community site here:
https://community.box.com/t5/Box-Product-News/Recently-reported-SAML-vulnerabilities-What-you-need-to-know-as/ba-p/52403

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://community.box.com/t5/Box-Product-News/Recently-reported-SAML-vulnerabilities-What-you-need-to-know-as/ba-p/52403

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CA Technologies

Updated:  March 07, 2018

Statement Date:   March 06, 2018

Status

  Not Affected

Vendor Statement

"The results of testing have concluded that CA Single Sign-On, and the previously named CA Federation, is not affected by this vulnerability."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.ca.com/us/product-content/status/announcement-documents/2018/ca---proactive-notification---smplc---advisory---asmplc-100601.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco

Notified:  February 23, 2018 Updated:  June 05, 2018

Statement Date:   March 01, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Cisco AnyConnect and ASA and FTD software are not vulnerable.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ComponentSpace Pty Ltd

Updated:  February 28, 2018

Statement Date:   February 28, 2018

Status

  Not Affected

Vendor Statement

We have tested for this vulnerability and have determined that none of our SAML products are affected.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Entr'ouvert

Notified:  January 24, 2018 Updated:  February 28, 2018

Statement Date:   February 28, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Entr'ouvert develops the lasso C library that implements SAML2. Entr'ouvert has determined lasso is not affected by this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ForgeRock

Updated:  March 07, 2018

Statement Date:   March 07, 2018

Status

  Not Affected

Vendor Statement

"ForgeRock has carefully assessed our implementations of SAML 1.x, SAML2, OAuth2 SAML2 Grant, WS-Federation and the Java Fedlet, and determined that we are not affected by this vulnerability."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://backstage.forgerock.com/knowledge/kb/article/a44883924

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GitHub

Notified:  January 24, 2018 Updated:  March 01, 2018

Statement Date:   February 28, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Neither GitHub nor GitHub Enterprise are affected by this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Google

Notified:  February 23, 2018 Updated:  March 01, 2018

Statement Date:   February 28, 2018

Status

  Not Affected

Vendor Statement

Google Cloud / G Suite's SAML single sign-on for managed Google accounts using third party Identity Providers<https://support.google.com/a/answer/60224> is not affected by this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft

Notified:  February 23, 2018 Updated:  March 02, 2018

Statement Date:   March 02, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Microsoft Azure Active Directory (AAS) and Microsoft Windows Server Active Directory Federation Services (ADFS) are not affected.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Okta Inc.

Notified:  January 29, 2018 Updated:  February 27, 2018

Statement Date:   February 15, 2018

Status

  Not Affected

Vendor Statement

Okta was made aware of the vulnerability before the public disclosure and immediately undertook a thorough code review and patched. Okta is not vulnerable, and we don't have any indication that the vulnerability was exploited in our systems.

Vendor Information

Okta is the leading independent provider of identity for the enterprise. The Okta Identity Cloud enables organizations to secure and manage their extended enterprise and transform their customers’ experiences. With over 5,000 pre-built integrations to applications, infrastructure and devices, Okta customers can easily and securely adopt the technologies they need to fulfill their missions.

Vendor References

https://www.okta.com/blog/2018/02/what-you-need-to-know-about-saml-vulnerability-research/

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ping Identity

Updated:  February 28, 2018

Statement Date:   February 28, 2018

Status

  Not Affected

Vendor Statement

Ping Identity products (PingFederate, PingOne) have been verified and found to be Not Affected by VU#475445.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Pivotal Software, Inc.

Notified:  January 24, 2018 Updated:  February 28, 2018

Statement Date:   February 28, 2018

Status

  Not Affected

Vendor Statement

The Pivotal, Spring and Cloud Foundry teams have determined that the UAA project and Spring Security SAML are not exposed to this vulnerability and therefore does not require any upgrades.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.pivotal.io/security/vu475445 https://www.cloudfoundry.org/blog/vu475445

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SAML (golang)

Notified:  March 16, 2018 Updated:  March 19, 2018

Statement Date:   March 19, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://github.com/crewjam/saml/pull/140

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Tools4Ever

Updated:  May 18, 2018

Statement Date:   May 16, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Tools4ever utilizes an unaffected SAML library.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VMware

Updated:  March 07, 2018

Statement Date:   March 06, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The following products have been determined to be unaffected:
נVMware vCenter Server
נVMware Identity Manager
נVMware Cloud Director

Vendor References

https://kb.vmware.com/s/article/53040

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Danish e-Infrastructure Cooperation (WAYF)

Notified:  January 24, 2018 Updated:  January 24, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GitLab Inc.

Notified:  March 02, 2018 Updated:  March 02, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SSO Easy

Updated:  March 02, 2018

Statement Date:   March 02, 2018

Status

  Unknown

Vendor Statement

We have tested for this vulnerability and have determined that the SAML functionality and processing is not affected by VU#475445.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 6.3 AV:N/AC:M/Au:S/C:C/I:N/A:N
Temporal 4.9 E:POC/RL:OF/RC:C
Environmental 4.9 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Kelby Ludwig of Duo Security for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2017-11427, CVE-2017-11428, CVE-2017-11429, CVE-2017-11430, CVE-2018-0489, CVE-2018-5387
Date Public: 2018-02-27
Date First Published: 2018-02-27
Date Last Updated: 2018-06-05 18:02 UTC
Document Revision: 120

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.