Researchers have discovered a vulnerability affecting Single Sign-On (SSO) systems that rely on Security Assertion Markup Language (SAML). SAML is a standard for authenticating end users to web applications. If successfully exploited, an attacker would be able to impersonate a legitimate user and obtain privileged information. There are a variety of different methods and libraries that employ the SAML standard for SSO, requiring a security fix for each affected library. This particular attack requires an attacker to have an account already created. The attacker then modifies their account name to impersonate another individual.
What we’re doing about it
- eSentire Threat Intelligence will continue to monitor the situation for future releases and updates.
What you should do about it
- Confirm with vendors and internal system teams to verify if a vulnerable library is used.
- After performing a business impact review, apply security patches to vulnerable libraries.
- Implement two-factor authentication, ensuring that one factor is separate from the Identity Provider (IdP).
The SAML vulnerability takes advantage of libraries incorrectly parsing commented strings and XML canonicalization for signing authentication tokens. The attackers are able to impersonate a legitimate user without altering the cryptographic signature.
Known Affected Systems:
- OneLogin - python-saml - CVE-2017-11427
- OneLogin - ruby-saml - CVE-2017-11428
- Clever - saml2-js - CVE-2017-11429
- OmniAuth-SAML - CVE-2017-11430
- Shibboleth - CVE-2018-0489
- Duo Network Gateway - CVE-2018-7340
For an in-depth explanation of the SAML vulnerability see the link below: