Active Exploitation of SAML Vulnerability CVE-2024-45409 Detected by Cyble Sensors

2024-10-15 at 15:16

By rohansinhacyblecom

Overview

On September 10, 2024, a critical vulnerability, CVE-2024-45409, was identified by ahacker1 of SecureSAML. The vulnerability was then patched in the Ruby-SAML library, which is widely used for implementing SAML (Security Assertion Markup Language) authorization.

This flaw affects Ruby-SAML versions up to 1.12.2 and between 1.13.0 and 1.16.0 and stems from an incorrect XPath selector that prevents the proper verification of the SAML Response signature. An unauthenticated attacker with access to a signed SAML document from a legitimate identity provider (IdP) can exploit this vulnerability by forging a SAML Response or Assertion. This allows the attacker to bypass the authentication mechanism and potentially gain unauthorized access to sensitive data and critical systems.

SAML is widely used in web applications, especially those that implement Single Sign-On (SSO) mechanisms for user authentication across different platforms or services. It is also used in multiple versions of GitLab Community Edition (CE) and Enterprise Edition (EE).

On September 17, 2024, GitLab issued an important update to address the critical vulnerability identified in the Ruby-SAML library. This update impacts multiple versions of GitLab Community Edition (CE) and Enterprise Edition (EE), specifically those released prior to 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10. Users are strongly encouraged to upgrade to these patched versions to protect from potential exploitation of this vulnerability.

Following GitLab’s patch, researchers from ProjectDiscovery provided a detailed analysis of the SAML vulnerability and demonstrated how it could be exploited to gain unauthorized access to GitLab accounts. The figure below shows the video demonstration of POC gaining unauthorized access to a GitLab account.

Figure 1 – POC for gaining unauthorized access to GitLab accounts

Amid these findings, Cyble Global Sensor Intelligence (CGSI) identified a scanning attempt associated with CVE-2024-45409.

Cyble Global Sensor Intelligence (CGSI) findings

On October 8, 2024, Cyble Global Sensor Intelligence (CGSI) identified attempts to exploit the newly disclosed vulnerability, CVE-2024-45409. Analysis of the detected URL patterns suggests that threat actors may be actively scanning for vulnerable GitLab accounts to exploit this particular flaw. This activity suggests a possible ongoing campaign aimed at exploiting CVE-2024-45409, potentially involving systematic probing of GitLab instances to identify entry points.

Figure 2 – Exploitation attempts observed via the CGSI network

Vulnerability Details

Authentication bypass

CVE-2024-45409

CVSSv3.1

9.8

Severity

Critical

Vulnerable Software Versions

Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0

Description

The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as an arbitrary user within the vulnerable system.

Technical details

SAML is a widely adopted protocol for exchanging authentication and authorization data between identity providers (IdPs) and service providers (SPs). A vital aspect of securing this exchange is verifying data integrity and authenticity through digital signatures and digest verification.

CVE-2024-45409 introduces a vulnerability that enables attackers to circumvent the signature validation process, provided they obtain the SAML Response issued by the identity provider. An attacker with access to any signed SAML document can forge a SAML Response or Assertion by inserting their own digest value within the samlp:extensions element. This alteration tricks the XPath parser, causing it to extract the smuggled DigestValue from the samlp:extensions element rather than the one in the SignedInfo block.

As a result, the attacker bypasses the signature verification, enabling them to authenticate their own forged assertion and effectively bypass the authentication mechanism.

Conclusion

CVE-2024-45409 presents a significant risk in the Ruby-SAML library. It enables attackers to forge SAML Responses and gain unauthorized access to systems due to inadequate verification of the SAML Response signature. This vulnerability highlights the urgent need for action, particularly as GitLab, a widely used platform, is especially susceptible to this issue. Furthermore, the recent detection of exploitation attempts by CGSI further underscores the severity of this threat.

Mitigation

GitLab advises self-managed users to implement two mitigation measures to lessen the risk of exploitation:

Enable two-factor authentication for all user accounts on the self-managed GitLab instance. (Note: Activating multi-factor authentication on the identity provider does not address this vulnerability.)

Disable the SAML two-factor bypass option within GitLab.

Recommendations

Update the Ruby-SAML library to the latest version, where the vulnerability has been patched.

Ensure multi-factor authentication (MFA) is enabled on your accounts to add an extra layer of security.

Organizations should conduct regular security awareness and information security training for employees.

References

https://blog.projectdiscovery.io/ruby-saml-gitlab-auth-bypass

https://github.com/advisories/GHSA-jw9c-mfg7-9rx2

https://about.gitlab.com/releases/2024/09/17/patch-release-gitlab-17-3-3-released

The post Active Exploitation of SAML Vulnerability CVE-2024-45409 Detected by Cyble Sensors appeared first on Cyble.

React to this headline: