-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Multiple SAML libraries may allow authentication bypass via
incorrect XML canonicalization and DOM traversal
28 February 2018
AusCERT Security Bulletin Summary
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
CVE Names: CVE-2018-0489 CVE-2017-11430 CVE-2017-11429
Comment: This advisory affects multiple libraries implementing SAML, which
will have different patch schedules.
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#475445
Multiple SAML libraries may allow authentication bypass via incorrect XML
canonicalization and DOM traversal
Original Release date: 27 Feb 2018 | Last revised: 27 Feb 2018
Multiple SAML libraries may incorrectly utilize the results of XML DOM
traversal and canonicalization APIs in such a way that an attacker may be able
to manipulate the SAML data without invalidating the cryptographic signature,
allowing the attack to potentially bypass authentication to SAML service
CWE-287: Improper Authentication
Security Assertion Markup Language (SAML) is an XML-based markup language for
security assertions regarding authentication and permissions, most commonly
used for single sign-on (SSO) services.
Some XML DOM traversal and canonicalization APIs may be inconsistent in
handling of comments within XML nodes. Incorrect use of these APIs by some SAML
libraries results in incorrect parsing of the inner text of XML nodes such that
any inner text after the comment is lost prior to cryptographically signing the
SAML message. Text after the comment therefore has no impact on the signature
on the SAML message.
A remote attacker can modify SAML content for a SAML service provider without
invalidating the cryptographic signature, which may allow attackers to bypass
primary authentication for the affected SAML service provider
The following CVEs are assigned:
CVE-2017-11427 - OneLogin's "python-saml"
CVE-2017-11428 - OneLogin's "ruby-saml"
CVE-2017-11429 - Clever's "saml2-js"
CVE-2017-11430 - "OmniAuth-SAML"
CVE-2018-0489 - Shibboleth openSAML C++
More information is available in the researcher's blog post.
By modifying SAML content without invalidating the cryptographic signature, a
remote, unauthenticated attacker may be able to bypass primary authentication
for an affected SAML service provider.
Affected SAML service providers should update software to utilize the latest
releases of affected SAML libraries. Please see the vendor list below for more
Vendor Information (Learn More)
Vendor Status Date Date Updated
Clever, Inc. Affected 24 Jan 2018 26 Feb 2018
Duo Security Affected - 22 Feb 2018
OmniAuth Affected 24 Jan 2018 06 Feb 2018
OneLogin Inc Affected 24 Jan 2018 27 Feb 2018
Shibboleth Consortium Affected 24 Jan 2018 06 Feb 2018
AssureBridge Not Affected - 27 Feb 2018
Okta Inc. Not Affected 29 Jan 2018 27 Feb 2018
Box Unknown 23 Feb 2018 23 Feb 2018
Cisco Unknown 23 Feb 2018 23 Feb 2018
Danish e-Infrastructure Cooperation Unknown 24 Jan 2018 24 Jan 2018
Entr'ouvert Unknown 24 Jan 2018 24 Jan 2018
GitHub Unknown 24 Jan 2018 24 Jan 2018
Google Unknown 23 Feb 2018 23 Feb 2018
Microsoft Unknown 23 Feb 2018 23 Feb 2018
Pivotal Software, Inc. Unknown 24 Jan 2018 24 Jan 2018
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Group Score Vector
Base 6.3 AV:N/AC:M/Au:S/C:C/I:N/A:N
Temporal 4.9 E:POC/RL:OF/RC:C
Environmental 4.9 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Thanks to Kelby Ludwig of Duo Security for reporting this vulnerability.
This document was written by Garret Wassermann.
* CVE IDs: CVE-2017-11427 CVE-2017-11428 CVE-2017-11429 CVE-2017-11430
* Date Public: 27 Feb 2018
* Date First Published: 27 Feb 2018
* Date Last Updated: 27 Feb 2018
* Document Revision: 67
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----