BIT-gitlab-2024-45409
Authentication Bypass vulnerability in ruby-saml (RubyGems)
What is BIT-gitlab-2024-45409 About?
Ruby-SAML versions <= 12.2 and 1.13.0 <= 1.16.0 contain an authentication bypass vulnerability due to inadequate signature verification in SAML Responses. An unauthenticated attacker can forge SAML Responses/Assertions, enabling them to log in as any user. This is a critical vulnerability that is relatively easy to exploit with access to a signed SAML document.
Affected Software
- ruby-saml
- >=1.13.0, <1.17.0
- <1.12.3
Technical Details
The vulnerability in Ruby-SAML arises from improper signature verification of SAML Responses. Specifically, the library fails to adequately validate the cryptographic signature attached to SAML assertions. An attacker who can intercept or obtain any legitimately signed SAML document from an Identity Provider (IdP) can reuse portions of its structure or signature. By manipulating the content of the SAML Response/Assertion while preserving or crafting a 'valid-looking' signature (which the vulnerable library fails to properly verify against the altered content), the attacker can forge assertions for arbitrary users. This forged assertion is then accepted by the Service Provider (SP), allowing the attacker to bypass authentication and log in as any targeted user within the system.
What is the Impact of BIT-gitlab-2024-45409?
Successful exploitation may allow attackers to bypass authentication, log in as any arbitrary user, gain unauthorized access to sensitive accounts and data, leading to a complete compromise of user sessions or administrative privileges.
What is the Exploitability of BIT-gitlab-2024-45409?
Exploitation involves crafting a malicious SAML Response that bypasses signature verification. The complexity is medium, requiring an understanding of SAML protocol and signature mechanisms, as well as access to a legitimate, signed SAML document. No prior authentication is needed as the goal is to bypass authentication, making it an unauthenticated, remote attack vector. No specific privilege is required other than network access to the SAML endpoint. A key constraint is the attacker's ability to obtain or observe a signed SAML document from the IdP. The risk is high given that it allows impersonation of any user, including administrators.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| synacktiv | Link | Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409) exploit |
What are the Available Fixes for BIT-gitlab-2024-45409?
Available Upgrade Options
- ruby-saml
- <1.12.3 → Upgrade to 1.12.3
- ruby-saml
- >=1.13.0, <1.17.0 → Upgrade to 1.17.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae
- https://osv.dev/vulnerability/GHSA-jw9c-mfg7-9rx2
- https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq
- https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae
- https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq
- https://github.com/omniauth/omniauth-saml/commit/4274e9d57e65f2dcaae4aa3b2accf831494f2ddd
- https://nvd.nist.gov/vuln/detail/CVE-2024-45409
- https://ssoready.com/blog/engineering/ruby-saml-pwned-by-xml-signature-wrapping-attacks/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2024-45409.yml
- https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
What are Similar Vulnerabilities to BIT-gitlab-2024-45409?
Similar Vulnerabilities: CVE-2020-13935 , CVE-2021-39130 , CVE-2021-38076 , CVE-2023-28169 , CVE-2021-43818
