CVE-2017-16897: Security Update for passport-wsfed-saml2 Passport Strategy Library
Published: December 22, 2017
CVE number: CVE-2017-16897
Credit: Alan Bishop
Overview
A vulnerability has been discovered in the passport-wsfed-saml2 library affecting versions <3.0.5. passport-wsfed-saml2 is a WS-Federation protocol and SAML2 tokens authentication provider for Passport.js.
This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the does not sign the full SAML response, but instead only signs the assertion within the response.
An attacker who successfully exploits this vulnerability could use that response to craft a request with a different NameIdentifier in order to log in as a different user. A malicious actor could also perform a privilege escalation attack if authenticating as a specific user with administrative privileges. The attacker must have an existing account, or be able to intercept the encrypted traffic and modify the SAML response on the fly.
This update addresses the vulnerability by avoiding wrapping attacks for Assertion and Response elements, as well as providing some defensive changes in XPath expressions. An update has also been implemented to improve the method of logging information about the signing of the SAML response.
Patching this vulnerability requires a library upgrade.
Am I affected?
This vulnerability affected cloud tenants utilizing the SAMLP Identity Provider Connection wherein the identity provider either:- signed SAML response and signed assertion
- did not sign SAML response and signed assertion
How to fix that?
Developers using the passport-wsfed-saml2 library need to upgrade to the latest version:3.0.5.
Updated packages are available on npm. To ensure delivery of additional bug fixes moving forward, please make sure your package.json file is updated to take patch and minor level updates of our libraries.