Auth0 Security Bulletin CVE 2017-16897
Published: December 22, 2017
CVE number: CVE 2017-16897
Credit: Alan Bishop
A vulnerability has been discovered in the passport-wsfed-saml2 library affecting versions <
This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML response, but instead only signs the assertion within the response.
An attacker who successfully exploits this vulnerability could use that response to craft a request with a different NameIdentifier in order to log in as a different user. A malicious actor could also perform a privilege escalation attack if authenticating as a specific user with administrative privileges. The attacker must have an existing account, or be able to intercept the encrypted traffic and modify the SAML response on the fly.
This update addresses the vulnerability by avoiding wrapping attacks for Assertion and Response elements, as well as providing some defensive changes in XPath expressions. An update has also been implemented to improve the method of logging information about the signing of the SAML response.
Patching this vulnerability requires a library upgrade.
Am I affected?
This vulnerability affected cloud tenants utilizing the SAMLP Identity Provider Connection wherein the identity provider either:
- signed SAML response and signed assertion
- did not sign SAML response and signed assertion
No action is required for Auth0 cloud tenants.
The vulnerability scope also extended to those using the passport-wsfed-saml2 strategy with passport.js, which requires a library upgrade (see the next section).
How to fix that?
Developers using the passport-wsfed-saml2 library need to upgrade to the latest version:
Updated packages are available on npm. To ensure delivery of additional bug fixes moving forward, please make sure your
package.json file is updated to take patch and minor level updates of our libraries.
Will this update impact my users?
No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.