Forums, Documentation & Knowledge Base - ComponentSpace

Vulnerability Note VU#475445


https://componentspace.com/Forums/Topic8565.aspx

By ComponentSpace - 2/27/2018

Vulnerability Note VU#475445
Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal
https://www.kb.cert.org/vuls/id/475445
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
ComponentSpace can confirm that no versions of its SAML products are affected by this vulnerability.
No action is required.

By ComponentSpace - 2/28/2018

Hi Neil
That's exactly right. Just to elaborate a little, suppose the SAML assertion included:
<NameID>test@componentspace.com</NameID>
An attacker could manipulate this by adding an XML comment.
For example:
<NameID>test@component<!-- this is a comment -->space.com</NameID>
The addition of the comment doesn't affect the signature verification as the canonicalization removes the comment.
So, now the XML consists of an element with three child nodes – text, comment and text.
Some libraries simply take the first text node (ie test@component)
We concatenate all the text nodes (test@componentspace.com) by calling the XmlNode.InnerText property.