Summary

Values in SAML Response can be shortened

Advisory Release Date

 - Interim Version

 - Final Version

 - Clarification of fix versions for old EOL systems

Product

SAML Single Sign On (SSO) for JIRA

SAML Single Sign On (SSO) for Confluence

Affected SAML SSO versions

0.14.7 and older (except Jira 0.11.4 and Confluence 0.12.3.3)

Fixed SAML SSO versions

Version 0.15.3 and higher are not affected by this issue

The SAML Single Sign On (SSO) Addons for Bitbucket and Bamboo are not affected.

Jira version 0.11.4 and Confluence version 0.12.3.3 has been released as fix versions for very old EOL systems.


Summary of Vulnerability

This advisory discloses a medium severity security vulnerability affecting SAML Single Sign On Plugin Version 0.14.7 (except 0.12.3.3) and older. All 0.15.x and 2.x releases are not affected. 

Please upgrade your Installations immediately to fix this vulnerability.

Details

In very specific cases, this vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password.

For more details, please see https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations or https://www.kb.cert.org/vuls/id/475445.


It allows an attacker to manipulate the SAML response in a way that extracted information including the userid to be logged in is shortened.

In the following example, the NameID-value containing the userid is modified by inserting a XML-comment. Anything else than adding a comment would invalidate the reponse's signature so that it is not accepted. Affected versions would parse the NameID-value as admin instead of eviladmin.

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response>
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://issuer</saml2:Issuer>
    <saml2p:Status>
      <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2018-03-02T12:13:26.193Z" Version="2.0">
      <saml2:Issuer>http://issuer</saml2:Issuer>
        <saml2:Subject>
          <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">evil<!-- -->admin</saml2:NameID>
        </saml2:Subject>
    <saml2:AttributeStatement/>
    </saml2:Assertion>
</saml2p:Response>


To exploit the following prerequisites must be met:

  • The SAML Single Sign On-addon is installed in version 0.14.7 or older
  • The attacker has valid access  with a userid which can be turned into the victim user's userid by cutting off characters in the end 



What You Need to Do

Upgrade to SAML Single Sign On (SSO) Version 0.15.3 or higher.

For all current Confluence and Jira Versions that are not end of Life yet, either a 0.15.x or a 2.x Version is available. 

Jira version 0.11.4 has been added to the Marketplace for very old end of Life Jira Installations.

Confluence version 0.12.3.3 has been added to the Marketplace for very old end of Life Confluence Installations.

If you are running older versions of Jira or Confluence and cannot update, please raise a support request via our  Support Portal


Support

If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.