SSOReady CVE-2024-47832 & Ruby-SAML CVE-2024-45409

SSOReady CVE-2024-47832 & Ruby-SAML CVE-2024-45409

CVE-2024-47832 is a significant vulnerability affecting SSOReady, a single sign-on provider implemented via Docker. This vulnerability allows for XML signature bypass attacks, which can compromise the integrity of IDP-signed messages when certain conditions are met. Specifically, if an attacker gains access to specific signed messages, they can exploit the differential behavior of XML parsers to bypass security measures.

Affected Versions and Impact

The vulnerability primarily affects self-hosted instances of SSOReady. Users of the public hosted instance at https://ssoready.com are not impacted. The recommended action for those self-hosting SSOReady is to upgrade to version 7f92a06 or later by updating their Docker images accordingly. There are currently no known workarounds for this vulnerability, making immediate upgrades critical.

Technical Details

Mechanism of the Attack

The underlying mechanism of CVE-2024-47832 exploits differences in how various XML parsers handle XML signatures. An attacker can manipulate an XML document, replacing legitimate signatures with those generated using a malicious private key. This is facilitated by placing the malicious certificate in the <KeyInfo /> element of the XML document, which many parsers trust by default.For example, an attacker could modify a signed XML document as follows:

xml
<ds:Signature>
    <ds:SignedInfo>
        <ds:Reference URI="#id12345">
            ...
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>malicious_signature_value</ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>
            <ds:X509Certificate>malicious_certificate</ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</ds:Signature>

In this scenario, the attacker’s certificate could be accepted by the XML parser, leading to unauthorized access or actions being taken based on the forged signature.

Comparison with Related Vulnerabilities

CVE-2024-47832 is part of a broader pattern of vulnerabilities related to XML signature handling. For instance, CVE-2024-45409 affected Ruby-SAML implementations and allowed attackers to log in as arbitrary users through similar XML signature wrapping attacks. Both vulnerabilities highlight systemic flaws in how XML signatures are processed and validated across different libraries and frameworks.

Vulnerability	Affected System	Type of Attack	Recommended Action
CVE-2024-47832	SSOReady	XML Signature Bypass	Upgrade to 7f92a06 or later
CVE-2024-45409	Ruby-SAML	XML Signature Wrapping	Upgrade Ruby-SAML library

Recommendations

1. Immediate Upgrade: Users should upgrade their self-hosted SSOReady instances to version 7f92a06 or later.
2. Monitor Security Advisories: Stay informed about any further developments related to XML signature vulnerabilities.
3. Implement Additional Validation: Consider implementing additional validation steps beyond those provided by default configurations to mitigate risks associated with XML signatures.

Conclusion

CVE-2024-47832 underscores the ongoing challenges associated with XML signature processing and validation. As attackers continue to exploit these vulnerabilities, it is crucial for developers and organizations to prioritize security updates and adopt best practices in handling XML signatures to safeguard against potential exploits.

https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v

https://ssoready.com/blog/engineering/xml-dsig-is-unfortunate/

https://ssoready.com/blog/engineering/ruby-saml-pwned-by-xml-signature-wrapping-attacks/