An attacker could masquerade as an authenticated user without presenting credentials
An open source Go implementation of the SAML protocol has patched a critical vulnerability that could allow attackers to bypass authentication in applications that used the library.
SAML is a popular XML-based standard for passing authentication information between identity providers and service providers. SAML is one of the protocols used for single sign-on (SSO), where users use a single identity provider to sign into different applications.
SAML assertions blobs
An SAML assertion is a blob of XML exchanged between the identity provider and the service provider. The SAML assertion includes the user’s identity information and the resources they should have access to.
“Because [the SAML assertion] passes through the user, this blob needs to be signed. The spec allows the whole blob to be signed or just a part of it,” Ross Kinder, the maintainer of SAML library for Go, told The Daily Swig.
Bypassing authentication with multiple assertions
The Go SAML library worked well when an XML blob contains a single assertion, which is what happens most of the time. However, SAML also supports processing multiple assertions in a single blob, which could complicate things.
“If you construct a blob with one signed assertion and one unsigned assertion, you could trick the library into processing the unsigned assertion as if it were signed,” Kinder said.
If a Go program relied on the library for authentication, an attacker could masquerade as an authenticated user without presenting credentials.
“Once you know the vulnerability, the exploit is trivial,” Kinder said.
SAML security is tricky
“The SAML protocol has some significant design deficiencies that stem from it being extremely complex and supporting lots of different modes and options,” Kinder said. “This makes secure implementation of the protocol much more difficult than if the protocol were simpler. Unfortunately, SAML is widely deployed despite its flaws and so we’re kind of stuck with it.”