CVE-2022-45597 - Missing SSL Certificate Validation

The CVE description is “Missing SSL Certificate Validation” and the referenced CWE-295 describes the attack as “spoof[ing] a trusted entity by interfering in the communication path between the host and client”.

There is no vulnerability in the communication path between the host and client as the SSL certificates used at the transport layer with HTTPS are validated by the browser. In other words, all SAML messages sent between the identity provider and service provider sites are sent via the browser over HTTPS and it’s the browser that validates the server’s SSL certificate.

What we didn’t do is validate the X.509 certificates used at the application layer for XML signature verification etc of SAML messages. The reasons for this include:

  1. Certificate validation, including certificate chain validation and the checking of certificate revocation lists, can be an expensive operation.
  2. In many scenarios, self-signed certificates are used meaning any validation isn’t really beneficial.
  3. Certificates are exchanged in a controlled fashion between entities within a trust relationship. This is why self-signed certificates may be used and why validating certificates isn’t as important as doing so for the transport layer certificates.
For these reasons, we don’t consider this as a vulnerability.

However, we did add support for optional certificate validation for those customers who consider this as important. This was added to SAML for ASP.NET Core v3.7.0 with some minor modifications in versions 4.6.0. For more information, refer to the Release Notes.

By default, we check the certificate expiry but the actual validity checks performed are configurable.