2018-03-01 Values in SAML Response can be shortened
Summary | Values in SAML Response can be shortened |
|---|---|
Advisory Release Date | 3/2/2018 - Interim Version 3/9/2018 - Final Version 3/23/2018 - Clarification of fix versions for old EOL systems |
Product | |
Affected SAML SSO versions | 0.14.7 and older (except Jira 0.11.4 and Confluence 0.12.3.3) |
Fixed SAML SSO versions | Version 0.15.3 and higher are not affected by this issue The SAML Single Sign On (SSO) Addons for Bitbucket and Bamboo are not affected. Jira version 0.11.4 and Confluence version 0.12.3.3 has been released as fix versions for very old EOL systems. |
Summary of Vulnerability
This advisory discloses a medium severity security vulnerability affecting SAML Single Sign On Plugin Version 0.14.7 (except 0.12.3.3) and older. All 0.15.x and 2.x releases are not affected.
Please upgrade your Installations immediately to fix this vulnerability.
Details
In very specific cases, this vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password.
For more details, please see https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations or https://www.kb.cert.org/vuls/id/475445.
It allows an attacker to manipulate the SAML response in a way that extracted information including the userid to be logged in is shortened.
In the following example, the NameID-value containing the userid is modified by inserting a XML-comment. Anything else than adding a comment would invalidate the reponse's signature so that it is not accepted. Affected versions would parse the NameID-value as admin instead of eviladmin.
- <?xml version="1.0" encoding="UTF-8"?>
- <saml2p:Response>
- <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://issuer</saml2:Issuer>
- <saml2p:Status>
- <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
- </saml2p:Status>
- <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2018-03-02T12:13:26.193Z" Version="2.0">
- <saml2:Issuer>http://issuer</saml2:Issuer>
- <saml2:Subject>
- <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">evil<!-- -->admin</saml2:NameID>
- </saml2:Subject>
- <saml2:AttributeStatement/>
- </saml2:Assertion>
- </saml2p:Response>
To exploit the following prerequisites must be met:
The SAML Single Sign On-addon is installed in version 0.14.7 or older
The attacker has valid access with a userid which can be turned into the victim user's userid by cutting off characters in the end
What You Need to Do
Upgrade to SAML Single Sign On (SSO) Version 0.15.3 or higher.
For all current Confluence and Jira Versions that are not end of Life yet, either a 0.15.x or a 2.x Version is available.
Jira version 0.11.4 has been added to the Marketplace for very old end of Life Jira Installations.
Confluence version 0.12.3.3 has been added to the Marketplace for very old end of Life Confluence Installations.
If you are running older versions of Jira or Confluence and cannot update, please raise a support request via our Support Portal.
Support
If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.