Various single-sign-on systems can be hoodwinked to allow miscreants to log in as strangers without their password, all thanks to bungled programming.
Specifically, the vulnerable authentication suites mishandle information submitted in the XML-like Security Assertion Markup Language (SAML). These weaknesses can be potentially exploited by hackers to log into systems, masquerade as other users, and access their accounts.
Single-sign-on systems (SSOs), for those who don't know, are typically used by enterprises, and large websites, to allow users and customers to log into lots of different services using one username and password pair – plus any two-factor authentication methods, of course. It means folks can sign into apps on phones, webpages on their desktop PCs, and so on, using one set of credentials.
According to the US Homeland Security-backed CERT, the Duo Network Gateway, OneLogin’s python-saml and ruby-saml, Clever’s saml2-js, the OmniAuth-SAML, and the Shibboleth openSAML C++ SSO toolkits are vulnerable to authentication bypass attacks. Vendors of similar technology are potentially affected, too.
The security shortcomings were first discovered by Duo in its own product, and follow up work revealed that other makers of SSO software were also affected. This is therefore a new class of bug, lying within the processing of SAML data.
Duo worked closely with US-CERT and the aforementioned developers since December to patch the bugs, and went public with its findings on Tuesday now that all the fixes are, we're told, available.
According to CERT: "A remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider."
That sounds as though any unauthenticated scumbag can gain control of any account. However, Duo's Kelby Ludwig noted that to practically exploit this class of security hole, an attacker has to be logged in. Thus, the flaws allows a rogue user or customer to impersonate another person on the system, which still isn't very nice.
"This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password," explained Ludwig.
Ludwig's advisory has the full technical details, but to briefly summarize: when signing in, the system that performs the identity check produces a SAML response, which is sent to the system providing the service. This response contains, among other things, the account ID of the user logging in, and a digital signature of the data. That signature is supposed to ensure the information is tamper-proof: a tweaked response will not match its signature, and thus will be discarded.
It is, however, possible to log into an identity system, and carefully alter the valid SAML response so that it has a stranger's account ID instead of your own, all while keeping the signature valid. This modified access key is then presented to the service provider, and it appears to be legitimately generated by the identity checking system, due to the valid signature. Thus, you can log in as the stranger using this forged SAML response.
The trick is to exploit the fact that XML comments are skipped when generating the signature, but are not fully skipped when extracting the user account ID string. Oops.
Steve Manzuik, director of security research at Duo Security, told El Reg that the advisory is in "no way an attempt to criticize competitors’ products. In fact, the coordinated disclosure alongside our own customer notification is intended to do the exact opposite."
"This vulnerability was identified during an internal review to vet possible software dependencies," he explained. "It was after we identified that issue, that we felt other SAML libraries could be affected by the same or similar issues. That hypothesis turned out to be correct. We found a vulnerability that affects multiple SAML libraries. These libraries can be used by organizations to enable, for example, Single-Sign-On between websites in their organization."
So: check your SSO library or provider for any security updates, and apply them when you can, ideally before miscreants start to exploit this class of bug. ®