Security researchers have disclosed three critical vulnerabilities within the XML parser of the Go programming language that could allow hackers to completely bypass the SAML authentication that features in many popular web applications.
The flaws were discovered earlier in the year by cloud collaboration provider Mattermost. It has been working alongside Go's internal security team since August on addressing these vulnerabilities, as well as with organisations and individuals downstream projects.
All three revolve around the way Go processes XML documents over multiple rounds of parsing, allowing attackers to use specific XML markup language to trick systems. According to a blog post by Juho Nurminen, product security engineer at Mattermost, there are several potential security problems created by these flaws, with one of the most significant being the risk it introduces to the integrity of the web-based SAML single sign-on (SSO) standard.
The first flaw, CVE-2020-29509, is an XML attribute instability in Go's encoding/xml. An affected SAML implementation can interpret a SAML Assertion as signed, but then proceed to read values from an unsigned part of the same document due to namespace mutations between signature verification and data access. This can lead to full authentication bypass and arbitrary privilege escalation within the scope of a SAML Service Provider.
The other two vulnerabilities - designated CVE-2020-29510 and CVE-2020-29511, respectively - can also be exploited to fully bypass authentication. The former is an XML directive instability while the latter is an XML element instability.
"As evident from the titles, the vulnerabilities are closely related. The core issue is the same in all three: maliciously crafted XML markup mutates during round-trips through Go’s decoder and encoder implementations," said Nurminen. “In other words, passing XML through Go’s decoder and encoder doesn’t preserve its semantics."
"Because of these vulnerabilities, Go-based SAML implementations are in many cases open to tampering by an attacker: by injecting malicious markup to a correctly signed SAML message, it’s possible to make it still appear correctly signed, but change its semantics to convey a different identity than the original document."
"The actual impact of these XML round-trip vulnerabilities of course varies by use case," he said, "but in SAML SSO it’s easy to understand: if your SAML messages can be altered to say you’re someone you’re not, the result is arbitrary privilege escalation within the scope of the SAML Service Provider, or in some cases even complete authentication bypass."
At present, it has not been possible to patch the vulnerabilities, despite significant efforts by the Go security team, although the Go team has reported that it hopes to introduce some changes in future versions of the language to address them.
There are, however, mitigations in place. Mattermost identified three major open-source SAML implementations which are vulnerable to these flaws: Dex SAML Connector, github.com/crewjam/saml and github.com/russellhaering/gosaml2. The company has already collaborated with the maintainers of these projects, and patches are now available for all three. Mattermost says it has also privately contacted the maintainers of "significant applications and products" that rely on impacted SAML implementations, and any organisations within that group are advised to start patching as soon as possible.
In addition, it has also open-sourced an XML validation library that can be used as a workaround until a more permanent solution is established. Nurminen noted that refactoring code to avoid encoding round-trips may be an acceptable long-term solution, although he conceded that this would not be possible in all cases.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
