Bug 1940089 (CVE-2021-28091) - CVE-2021-28091 lasso: XML signature wrapping vulnerability when parsing SAML responses
Summary: CVE-2021-28091 lasso: XML signature wrapping vulnerability when parsing SAML ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-28091
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1951653 1963855 1966606 1966607
Blocks: 1940091
TreeView+ depends on / blocked
 
Reported: 2021-03-17 15:19 UTC by Pedro Sampaio
Modified: 2022-04-17 21:13 UTC (History)
7 users (show)

Fixed In Version: lasso 2.7.0
Doc Type: If docs needed, set a value
Doc Text:
An XML Signature Wrapping (XSW) vulnerability was found in Lasso. This flaw allows an attacker to modify a valid SAML response to include an unsigned SAML assertion, which may be used to impersonate another valid user recognized by the service using Lasso. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability.
Clone Of:
Environment:
Last Closed: 2021-08-02 19:06:55 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:2991 0 None None None 2021-08-02 22:09:49 UTC
Red Hat Product Errata RHBA-2021:3039 0 None None None 2021-08-09 16:14:05 UTC
Red Hat Product Errata RHSA-2021:2989 0 None None None 2021-08-02 15:51:45 UTC
Red Hat Product Errata RHSA-2021:4325 0 None None None 2021-11-09 18:14:43 UTC

Description Pedro Sampaio 2021-03-17 15:19:51 UTC 
Lasso 2.5.0, 2.6.0, and 2.6.1 are vulnerable to an XML Signature Wrapping (XSW) vulnerability where an attacker can modify a valid SAML assertion to impersonate another valid user recognized by the service using Lasso.
Comment 3 Riccardo Schirone 2021-04-01 09:08:03 UTC 
mod_auth_mellon depends on lasso but it doesn't embeds it, so we don't need to keep track of it in the affects list.
Comment 11 Riccardo Schirone 2021-04-21 10:04:18 UTC 
Statement:

Lasso is provided in Red Hat Enterprise Linux 7, and 8 only as a dependency of mod_auth_mellon, without development files. The way mod_auth_mellon uses Lasso makes it not vulnerable to this flaw, because SAML responses are additionally validated to have exactly one assertion, thus it is not possible for an attacker to include an unsigned SAML assertion after a signed valid one.

Red Hat Enterprise Linux 7 also provides a lasso-python package that can be used to create python applications that use Lasso, however Red Hat only ships ipsilon which uses it. Ipsilon does not use the vulnerable functions of Lasso.
Comment 12 Riccardo Schirone 2021-04-21 10:12:23 UTC 
This flaw can be used by a remote attacker who already have a valid SAML response (e.g. if he's a user recognized by the Identity Provider or if he can do man-in-the-middle and steal a valid response). It allows the attacker to add extra assertions, even if unsigned, at the end of the SAML response with possibly signed assertions within it. Lasso just verifies the signature of the first assertion and it ignores the others after it, while considering the last assertion as the one returned by lasso_login_get_assertion().

This vulnerability could allow attackers to modify their identity and/or impersonate other users/roles within the same organization.
Comment 24 Riccardo Schirone 2021-06-01 13:30:22 UTC 
References:
https://blogs.akamai.com/2021/06/saml-implementation-vulnerability-impacting-some-akamai-services.html
https://blogs.akamai.com/2021/06/akamai-eaa-impersonation-vulnerability---a-deep-dive.html
https://git.entrouvert.org/lasso.git/tree/NEWS?id=v2.7.0
Comment 25 Riccardo Schirone 2021-06-01 13:31:33 UTC 
Upstream patch:
https://git.entrouvert.org/lasso.git/commit/?id=ea7e5efe9741e1b1787a58af16cb15b40c23be5a
Comment 26 Riccardo Schirone 2021-06-01 13:46:49 UTC 
Created lasso tracking bugs for this issue:

Affects: fedora-all [bug 1966607]
Comment 28 errata-xmlrpc 2021-08-02 15:51:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2989 https://access.redhat.com/errata/RHSA-2021:2989
Comment 29 Product Security DevOps Team 2021-08-02 19:06:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28091
Comment 30 errata-xmlrpc 2021-11-09 18:14:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4325 https://access.redhat.com/errata/RHSA-2021:4325
Note You need to log in before you can comment on or make changes to this bug.