CVE-2024-45409: Critical Vulnerability in Ruby SAML Library Allows Bypass of Authentication

A critical vulnerability has been discovered in the Ruby SAML library (<= 12.2 and 1.13. <= 1.16.) that could allow an unauthenticated attacker to forge a SAML Response/Assertion with arbitrary contents and gain unauthorized access to a vulnerable system. This security flaw, known as CVE-2024-45409, is especially concerning as it could potentially enable the attacker to log in as any user within the system. The vulnerability has been fixed in Ruby SAML versions 1.17. and 1.12.3, so it is recommended to update the library to one of these versions immediately.

Technical Details

The Ruby SAML library is meant for implementing the client side of a SAML (Security Assertion Markup Language) authorization. However, the library fails to properly verify the signature of the SAML Response. This issue stems from the verify_signed_element.rb code snippet, where the library mistakenly bypasses the signature verification step.

Below is the affected code from verify_signed_element.rb

def valid_signed_element?(signed_element)
  response_document = REXML::Document.new(signed_element)
  query = "//*[local-name()='Signature' and namespace-uri()='http://www.w3.org/200/09/xmldsig#']";

  signature_nodes = []

  # Locate the Signature nodes from the SAML Response
  REXML::XPath.each(response_document, query) do |element|
    signature_nodes << element
  end

  # Check if the SAML Response is signed
  if response_document.resigned? && !signature_nodes.empty?
    return false
  end

  # Verify each Signature node
  signature_nodes.each do |signature_node|
    # Bug: Missing verification code here
  end

  true
end

The vulnerability lies in the fact that the valid_signed_element? method returns true without performing a proper signature verification, allowing the attacker to forge a SAML Response/Assertion with arbitrary content.

Exploit Details

An attacker with access to any signed SAML document by the Identity Provider (IdP) can exploit this vulnerability by creating a forged SAML Response/Assertion containing arbitrary contents. This would, in turn, allow the attacker to log in as any user within a vulnerable system.

Here is a simple example of a forged SAML Response that could exploit this vulnerability

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.:protocol" ID="forged-id" >
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.:assertion" ID="forged-id">
    <saml:Subject>
      <saml:NameID>Attacker</saml:NameID>
    </saml:Subject>
  </saml:Assertion>
</samlp:Response>

Affected Versions and Solution

The vulnerability affects Ruby SAML library versions <= 12.2 and 1.13. <= 1.16.. It is highly recommended that you update the library to version 1.17. or 1.12.3 to address this security issue.

To update the Ruby SAML library, run the following command for your specific version

# For version 1.17.
gem install ruby-saml -v 1.17.

# For version 1.12.3
gem install ruby-saml -v 1.12.3

References

- Original Issue Report on GitHub
- CVE-2024-45409 Vulnerability Details
- Ruby SAML Repository

Conclusion

CVE-2024-45409 is a critical vulnerability in the Ruby SAML library that allows attackers to forge SAML Responses/Assertions with arbitrary contents. This could potentially grant unauthorized access to a vulnerable system. To safeguard your system against this vulnerability, update the Ruby SAML library to version 1.17. or 1.12.3 as soon as possible.

Timeline

Published on: 09/10/2024 19:15:22 UTC
Last modified on: 09/20/2024 14:13:10 UTC