Bug 1940089 (CVE-2021-28091)
| Summary: | CVE-2021-28091 lasso: XML signature wrapping vulnerability when parsing SAML responses | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | jhrozek, rcritten, rschiron, security-response-team, spoore, ssorce, thalman |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | lasso 2.7.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An XML Signature Wrapping (XSW) vulnerability was found in Lasso. This flaw allows an attacker to modify a valid SAML response to include an unsigned SAML assertion, which may be used to impersonate another valid user recognized by the service using Lasso. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-08-02 19:06:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1951653, 1963855, 1966606, 1966607 | ||
| Bug Blocks: | 1940091 | ||
|
Description
Pedro Sampaio
2021-03-17 15:19:51 UTC
mod_auth_mellon depends on lasso but it doesn't embeds it, so we don't need to keep track of it in the affects list. Statement: Lasso is provided in Red Hat Enterprise Linux 7, and 8 only as a dependency of mod_auth_mellon, without development files. The way mod_auth_mellon uses Lasso makes it not vulnerable to this flaw, because SAML responses are additionally validated to have exactly one assertion, thus it is not possible for an attacker to include an unsigned SAML assertion after a signed valid one. Red Hat Enterprise Linux 7 also provides a lasso-python package that can be used to create python applications that use Lasso, however Red Hat only ships ipsilon which uses it. Ipsilon does not use the vulnerable functions of Lasso. This flaw can be used by a remote attacker who already have a valid SAML response (e.g. if he's a user recognized by the Identity Provider or if he can do man-in-the-middle and steal a valid response). It allows the attacker to add extra assertions, even if unsigned, at the end of the SAML response with possibly signed assertions within it. Lasso just verifies the signature of the first assertion and it ignores the others after it, while considering the last assertion as the one returned by lasso_login_get_assertion(). This vulnerability could allow attackers to modify their identity and/or impersonate other users/roles within the same organization. References: https://blogs.akamai.com/2021/06/saml-implementation-vulnerability-impacting-some-akamai-services.html https://blogs.akamai.com/2021/06/akamai-eaa-impersonation-vulnerability---a-deep-dive.html https://git.entrouvert.org/lasso.git/tree/NEWS?id=v2.7.0 Upstream patch: https://git.entrouvert.org/lasso.git/commit/?id=ea7e5efe9741e1b1787a58af16cb15b40c23be5a Created lasso tracking bugs for this issue: Affects: fedora-all [bug 1966607] This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2989 https://access.redhat.com/errata/RHSA-2021:2989 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-28091 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4325 https://access.redhat.com/errata/RHSA-2021:4325 |