2018-03-01 Values in SAML Response can be shortened

Summary	Values in SAML Response can be shortened
Advisory Release Date	02 Mar 2018 - Interim Version 09 Mar 2018 - Final Version 23 Mar 2018 - Clarification of fix versions for old EOL systems
Product	SAML Single Sign On (SSO) for JIRA SAML Single Sign On (SSO) for Confluence
Affected SAML SSO versions	0.14.7 and older (except Jira 0.11.4 and Confluence 0.12.3.3)
Fixed SAML SSO versions	Version 0.15.3 and higher are not affected by this issue The SAML Single Sign On (SSO) Addons for Bitbucket and Bamboo are not affected. Jira version 0.11.4 and Confluence version 0.12.3.3 has been released as fix versions for very old EOL systems.

Summary of Vulnerability

This advisory discloses a medium severity security vulnerability affecting SAML Single Sign On Plugin Version 0.14.7 (except 0.12.3.3) and older. All 0.15.x and 2.x releases are not affected.

Please upgrade your Installations immediately to fix this vulnerability.

Details

In very specific cases, this vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password.

For more details, please see https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations or https://www.kb.cert.org/vuls/id/475445.

It allows an attacker to manipulate the SAML response in a way that extracted information including the userid to be logged in is shortened.

In the following example, the NameID-value containing the userid is modified by inserting a XML-comment. Anything else than adding a comment would invalidate the reponse's signature so that it is not accepted. Affected versions would parse the NameID-value as admin instead of eviladmin.

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response>
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://issuer</saml2:Issuer>
    <saml2p:Status>
      <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2018-03-02T12:13:26.193Z" Version="2.0">
      <saml2:Issuer>http://issuer</saml2:Issuer>
        <saml2:Subject>
          <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">evil<!-- -->admin</saml2:NameID>
        </saml2:Subject>
    <saml2:AttributeStatement/>
    </saml2:Assertion>
</saml2p:Response>

XML

To exploit the following prerequisites must be met:

The SAML Single Sign On-addon is installed in version 0.14.7 or older
The attacker has valid access with a userid which can be turned into the victim user's userid by cutting off characters in the end

What You Need to Do

Upgrade to SAML Single Sign On (SSO) Version 0.15.3 or higher.

For all current Confluence and Jira Versions that are not end of Life yet, either a 0.15.x or a 2.x Version is available.

Jira version 0.11.4 has been added to the Marketplace for very old end of Life Jira Installations.

Confluence version 0.12.3.3 has been added to the Marketplace for very old end of Life Confluence Installations.

If you are running older versions of Jira or Confluence and cannot update, please raise a support request via our Support Portal.

Support

If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.