Lasso 2.5.0, 2.6.0, and 2.6.1 are vulnerable to an XML Signature Wrapping (XSW) vulnerability where an attacker can modify a valid SAML assertion to impersonate another valid user recognized by the service using Lasso.
mod_auth_mellon depends on lasso but it doesn't embeds it, so we don't need to keep track of it in the affects list.
Statement: Lasso is provided in Red Hat Enterprise Linux 7, and 8 only as a dependency of mod_auth_mellon, without development files. The way mod_auth_mellon uses Lasso makes it not vulnerable to this flaw, because SAML responses are additionally validated to have exactly one assertion, thus it is not possible for an attacker to include an unsigned SAML assertion after a signed valid one. Red Hat Enterprise Linux 7 also provides a lasso-python package that can be used to create python applications that use Lasso, however Red Hat only ships ipsilon which uses it. Ipsilon does not use the vulnerable functions of Lasso.
This flaw can be used by a remote attacker who already have a valid SAML response (e.g. if he's a user recognized by the Identity Provider or if he can do man-in-the-middle and steal a valid response). It allows the attacker to add extra assertions, even if unsigned, at the end of the SAML response with possibly signed assertions within it. Lasso just verifies the signature of the first assertion and it ignores the others after it, while considering the last assertion as the one returned by lasso_login_get_assertion(). This vulnerability could allow attackers to modify their identity and/or impersonate other users/roles within the same organization.
References: https://blogs.akamai.com/2021/06/saml-implementation-vulnerability-impacting-some-akamai-services.html https://blogs.akamai.com/2021/06/akamai-eaa-impersonation-vulnerability---a-deep-dive.html https://git.entrouvert.org/lasso.git/tree/NEWS?id=v2.7.0
Upstream patch: https://git.entrouvert.org/lasso.git/commit/?id=ea7e5efe9741e1b1787a58af16cb15b40c23be5a
Created lasso tracking bugs for this issue: Affects: fedora-all [bug 1966607]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2989 https://access.redhat.com/errata/RHSA-2021:2989
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-28091
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4325 https://access.redhat.com/errata/RHSA-2021:4325