This past week, a new attack was discovered that exploits commonly used Security Assertion Markup Language (SAML) implementations. It was discovered that an attacker could modify SAML content without invalidating the cryptographic signature thus bypassing authentication and assuming the role of an authenticated user. SAML is widely used for single-sign on (SSO) systems that allow for federation capabilities across different services. Single-sign on systems are popular amongst many organizations for it’s ease-of-use by allowing users to authenticate once without having to re-authenticate to their web applications.
According to CERT, “multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers”. For a detailed list of the SAML vulnerabilities and impacted libraries, please visit the CERT site.
To safeguard yourself against this SAML vulnerability, please check your SAML libraries to see if they are affected and follow vendor recommendations. Symantec Validation and Identity Protection (VIP) service and all of its components are secure against these recently discovered SAML vulnerabilities. To learn more about Symantec VIP, please visit the product page.