{"id":41653,"date":"2020-12-15T11:34:35","date_gmt":"2020-12-15T11:34:35","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=172f46122098db16c967c82074233c18"},"modified":"2020-12-15T11:34:35","modified_gmt":"2020-12-15T11:34:35","slug":"golang-xml-parser-vulnerability-could-enable-saml-authentication-bypass","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/golang-xml-parser-vulnerability-could-enable-saml-authentication-bypass\/","title":{"rendered":"Golang XML parser vulnerability could enable SAML authentication bypass"},"content":{"rendered":"<p><span class=\"field field-name-field-author field-type-node-reference field-label-hidden\"><br \/>\n      <span class=\"field-item even\"><a href=\"https:\/\/www.cloudpro.co.uk\/authors\/rene-millman\">Rene Millman<\/a><\/span><br \/>\n  <\/span><\/p>\n<div class=\"field field-name-field-published-date field-type-datetime field-label-hidden\">\n<div class=\"field-items\">\n<div class=\"field-item even\"><span class=\"date-display-single\">15 Dec, 2020<\/span><\/div>\n<\/p><\/div>\n<\/div>\n<p class=\"short-teaser\">\n<a href=\"https:\/\/www.cloudpro.co.uk\/\" title=\"\" class=\"combined-link\"><\/a><\/p>\n<div class=\"field field-name-body\">\n<p>Security researchers have disclosed three critical <a href=\"https:\/\/www.itpro.co.uk\/security\/vulnerability\/356709\/why-vulnerability-management-is-crucial-right-now\" data-cke-saved-href=\"https:\/\/www.itpro.co.uk\/security\/vulnerability\/356709\/why-vulnerability-management-is-crucial-right-now\">vulnerabilities<\/a> within\u00a0the\u00a0<a href=\"https:\/\/www.itpro.co.uk\/613903\/need-to-know-xml\" data-cke-saved-href=\"https:\/\/www.itpro.co.uk\/613903\/need-to-know-xml\">XML<\/a> parser of the Go programming language that could allow hackers to completely bypass the SAML authentication\u00a0that features in many popular web applications.<\/p>\n<p>The flaws were discovered earlier in the year by cloud collaboration provider Mattermost. It has been working alongside Go&#8217;s internal security team since August on addressing these vulnerabilities, as well as with organisations and individuals downstream projects.<\/p>\n<p>All three revolve around the way Go processes XML documents over multiple rounds of parsing, allowing attackers to use specific XML markup language to trick systems.\u00a0According to a <a href=\"https:\/\/mattermost.com\/blog\/coordinated-disclosure-go-xml-vulnerabilities\/\" data-cke-saved-href=\"https:\/\/mattermost.com\/blog\/coordinated-disclosure-go-xml-vulnerabilities\/\">blog post<\/a> by Juho Nurminen, product security engineer at Mattermost, there are several potential security problems created by these flaws, with one of the most significant being the risk it introduces to the integrity of the web-based SAML single sign-on (SSO) standard.<\/p>\n<p>The first flaw, CVE-2020-29509, is an XML attribute instability in Go&#8217;s encoding\/xml. An affected SAML implementation can interpret a SAML Assertion as signed, but then proceed to read values from an unsigned part of the same document due to namespace mutations between signature verification and data access. This can lead to full authentication bypass and arbitrary privilege escalation within the scope of a SAML Service Provider.<\/p>\n<p>The other two vulnerabilities &#8211; designated\u00a0CVE-2020-29510 and\u00a0CVE-2020-29511, respectively &#8211; can also be exploited to fully bypass authentication. The former is\u00a0an XML directive instability while the latter is an\u00a0XML element instability.<\/p>\n<p>&#8220;As evident from the titles, the vulnerabilities are closely related. The core issue is the same in all three: maliciously crafted XML markup mutates during round-trips through Go\u2019s decoder and encoder implementations,&#8221; said\u00a0Nurminen.\u00a0\u201cIn other words, passing XML through Go\u2019s decoder and encoder doesn\u2019t preserve its semantics.&#8221;<\/p>\n<p>&#8220;Because of these vulnerabilities, Go-based SAML implementations are in many cases open to tampering by an attacker: by injecting malicious markup to a correctly signed SAML message, it\u2019s possible to make it still appear correctly signed, but change its semantics to convey a different identity than the original document.&#8221;<\/p>\n<p>&#8220;The actual impact of these XML round-trip vulnerabilities of course varies by use case,&#8221; he said, &#8220;but in SAML SSO it\u2019s easy to understand: if your SAML messages can be altered to say you\u2019re someone you\u2019re not, the result is arbitrary privilege escalation within the scope of the SAML Service Provider, or in some cases even complete authentication bypass.&#8221;<\/p>\n<p>At present, it has not been possible to patch the vulnerabilities, despite significant efforts by the Go security team, although the Go team has reported that it hopes to introduce some changes in future versions of the language to address them.<\/p>\n<p>There are, however, mitigations in place. Mattermost identified three major open-source SAML implementations which are vulnerable to these flaws:\u00a0\u00a0<a href=\"https:\/\/dexidp.io\/docs\/connectors\/saml\/\"  rel=\"noreferrer noopener\" data-cke-saved-href=\"https:\/\/dexidp.io\/docs\/connectors\/saml\/\">Dex SAML Connector<\/a>, <a href=\"https:\/\/github.com\/crewjam\/saml\"  rel=\"noreferrer noopener\" data-cke-saved-href=\"https:\/\/github.com\/crewjam\/saml\">github.com\/crewjam\/saml<\/a>\u00a0and <a href=\"https:\/\/github.com\/russellhaering\/gosaml2\"  rel=\"noreferrer noopener\" data-cke-saved-href=\"https:\/\/github.com\/russellhaering\/gosaml2\">github.com\/russellhaering\/gosaml2<\/a>. The company has already collaborated with the maintainers of these projects, and patches are now available for all three. Mattermost says it has also privately contacted\u00a0the maintainers of &#8220;significant applications and products&#8221; that rely on impacted SAML implementations, and any organisations within that group are advised to start patching as soon as possible.<\/p>\n<p>In addition, it has also <a href=\"https:\/\/github.com\/mattermost\/xml-roundtrip-validator\" data-cke-saved-href=\"https:\/\/github.com\/mattermost\/xml-roundtrip-validator\">open-sourced an XML validation library<\/a> that can be used as a workaround until a more permanent solution is established. Nurminen noted that refactoring code to avoid encoding round-trips may be an acceptable long-term solution, although he conceded that this would not be possible in all cases.\u00a0\u00a0 <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>      Rene Millman<\/p>\n<p>        15 Dec, 2020    <\/p>\n<p>      Security researchers have disclosed three critical vulnerabilities within\u00a0the\u00a0XML parser of the Go programming language that could allow hackers to completely bypass the SAML authentication\u00a0that&#8230;<\/p>\n","protected":false},"author":417,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-41653","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41653","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/417"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=41653"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41653\/revisions"}],"predecessor-version":[{"id":41654,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41653\/revisions\/41654"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=41653"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=41653"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=41653"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}