Executive Summary

The vulnerability exists in the samlify Node.js library for SAML single sign-on, prior to version 2.13.0. The issue is that samlify only escapes attribute contexts during template substitution, but does not escape values inserted into element text such as <saml:AttributeValue>. This allows a normal user to inject XML markup into attribute values like email or name.

As a result, an attacker can add new <saml:Attribute> elements inside the signed assertion. The Identity Provider (IdP) then signs this tampered assertion, and the Service Provider (SP) accepts the injected attributes as trusted. This can lead to privilege escalation when these attributes are used for authorization purposes, such as roles or groups.

This vulnerability was fixed in samlify version 2.13.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to escalate privileges by injecting unauthorized attributes into a signed SAML assertion. Since the Service Provider trusts the signed assertion from the Identity Provider, the attacker can gain unauthorized access or elevated permissions within the system.

If your system uses samlify for SAML single sign-on and relies on attributes for authorization decisions (such as roles or group memberships), this vulnerability could allow attackers to bypass access controls and gain higher privileges than intended.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade the samlify Node.js library to version 2.13.0 or later, where the issue has been patched.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to inject unauthorized attributes into signed SAML assertions, leading to privilege escalation by manipulating roles or groups used for authorization.

Such unauthorized privilege escalation can undermine the integrity and confidentiality of user identity and access management, which are critical components of compliance with standards like GDPR and HIPAA.

By enabling attackers to escalate privileges and potentially access or modify sensitive data, this vulnerability could lead to violations of data protection and access control requirements mandated by these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves XML injection in SAML assertions generated by vulnerable versions of the samlify library (up to 2.10.2). Detection involves inspecting SAML assertions for unexpected or injected XML elements within <saml:AttributeValue> tags.

To detect this on your system or network, you can capture SAML assertions (e.g., from HTTP POST or Redirect bindings) and analyze the XML content for injected <saml:Attribute> elements inside signed assertions.

Suggested commands include using tools like 'curl' or browser developer tools to capture SAML responses, then using XML parsing or searching commands to find suspicious injected attributes.

• Use curl or tcpdump to capture SAML responses from your IdP or SP endpoints.
• Extract the SAML assertion (usually base64 encoded) and decode it: echo 'BASE64_SAML_ASSERTION' | base64 -d > assertion.xml
• Search for injected <saml:Attribute> elements inside <saml:AttributeValue> tags: xmllint --xpath '//saml:AttributeValue/saml:Attribute' assertion.xml
• Alternatively, use grep or xmlstarlet to find suspicious XML markup inside attribute values.

If you find additional <saml:Attribute> elements inside <saml:AttributeValue> or unexpected XML markup, it indicates possible exploitation of this vulnerability.

Useful 0 Not Useful 0