ComponentSpace

Forums



Vulnerability Note VU#475445


Vulnerability Note VU#475445

Author
Message
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)

Group: Administrators
Posts: 2K, Visits: 4.6K
Vulnerability Note VU#475445
Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal
https://www.kb.cert.org/vuls/id/475445
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
ComponentSpace can confirm that no versions of its SAML products are affected by this vulnerability.
No action is required.



Regards
ComponentSpace Development
neilp
neilp
New Member
New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)New Member (44 reputation)

Group: Forum Members
Posts: 9, Visits: 47
Great to see ComponentSpace on top of things!

And if anyone is particularly interested in the technical reason why it's not affected...
Right down in the heart of the ComponentSpace Assertion handling, the XML parsing is, in part, offloaded to the .net XML objects (in the System.Xml namespace).

The vulnerability relies on poor implementation of the retrieval of the internal text of the NameID node in the assertion. When an attacker inserts a HTML/XML comment into the node, the value of the NameID returned by the XML library can be manipulated without invalidating the signature.

The good news is that XmlNode.InnerText returns a concatenation of all text nodes found within the selected element, ignoring comment nodes completely and so is not vulnerable to these attacks. :)


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)

Group: Administrators
Posts: 2K, Visits: 4.6K
Hi Neil
That's exactly right. Just to elaborate a little, suppose the SAML assertion included:
<NameID>test@componentspace.com</NameID>
An attacker could manipulate this by adding an XML comment.
For example:
<NameID>test@component<!-- this is a comment -->space.com</NameID>
The addition of the comment doesn't affect the signature verification as the canonicalization removes the comment.
So, now the XML consists of an element with three child nodes – text, comment and text.
Some libraries simply take the first text node (ie test@component)
We concatenate all the text nodes (test@componentspace.com) by calling the XmlNode.InnerText property.


Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









ComponentSpace Forums


Search