Lasso bug roped up and corralled by Enterprise Application Access developers

Akamai offers comprehensive post-mortem on recently resolved authentication platform vulnerability

Akamai has offered a deep dive analysis of a recently patched flaw in its Enterprise Application Access (EAA) access control and authentication platform.

EAA allows enterprise users to make access control and authentication decisions based on identity information offered by a third-party identity provider.

Developers of EAA took advantage of the Lasso open source library to bolt on support for the Security Assertion Markup Language (SAML) v2.0 authentication protocol – a technology widely used by identity providers.

The reliance on Lasso left EAA exposed to the effects of a recently discovered XML Signature Wrapping (XSW) vulnerability in the library. XML Signature Wrapping is a known class of vulnerability (previous examples here, here, and here).

Coordinated response

The Lasso vulnerability – tracked as CVE-2021-28091 – could allow an attacker to doctor a valid SAML response so that it contains an unsigned SAML assertion.

The flaw was given a CVSS score of 8.2, towards the top end of the scale.

Catch up on the latest authentication-related security news

In the case of EAA, the reliance on Lasso set up the preconditions for a possible exploit where an attacker impersonates another user of the targeted system.

Exploitation would likely take the form of some form of manipulator-in-the-middle attack or, alternatively, through the abuse of compromised credentials obtained through phishing.

Fortunately, incident response experts at Akamai and developers at Lasso were able to work together on a coordinated disclosure process while a patch was developed.

Patch development

The fix, explained in some depth in Akamai’s technical blog post, involves applying tighter cryptographic checks and controls on what constitutes a valid request.

The initial mitigations proposed by developers in February turned out to be incomplete, prompting Akamai techies to suggest a more complete resolution that has since been adopted.

Sysadmins who rely on Lasso for their SAML authentication should patch as soon as possible, Akamai advises.

RELATED Apache Pulsar bug allowed account takeovers in certain configurations