Vulnerability Note VU#475445

ComponentSpace · February 27, 2018, 3:55pm

Vulnerability Note VU#475445
Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal
https://www.kb.cert.org/vuls/id/475445
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
ComponentSpace can confirm that no versions of its SAML products are affected by this vulnerability.
No action is required.

neilp · February 28, 2018, 7:06am

Great to see ComponentSpace on top of things!

And if anyone is particularly interested in the technical reason why it’s not affected…
Right down in the heart of the ComponentSpace Assertion handling, the XML parsing is, in part, offloaded to the .net XML objects (in the System.Xml namespace).

The vulnerability relies on poor implementation of the retrieval of the internal text of the NameID node in the assertion. When an attacker inserts a HTML/XML comment into the node, the value of the NameID returned by the XML library can be manipulated without invalidating the signature.

The good news is that XmlNode.InnerText returns a concatenation of all text nodes found within the selected element, ignoring comment nodes completely and so is not vulnerable to these attacks.

ComponentSpace · February 28, 2018, 2:10pm

Hi Neil
That’s exactly right. Just to elaborate a little, suppose the SAML assertion included:
test@componentspace.com
An attacker could manipulate this by adding an XML comment.
For example:
test@componentspace.com
The addition of the comment doesn’t affect the signature verification as the canonicalization removes the comment.
So, now the XML consists of an element with three child nodes – text, comment and text.
Some libraries simply take the first text node (ie test@component)
We concatenate all the text nodes (test@componentspace.com) by calling the XmlNode.InnerText property.