CIE.AspNetCore.Authentication SAML Response Signature Verification Bypass Vulnerability

A vulnerability exists in CIE.AspNetCore.Authentication, an ASP.NET Core remote authenticator for CIE 3.0, in versions through 2.0.4. The issue arises in the validation of SAML assertions within SAML responses, where the library, acting as a Service Provider (SP), does not ensure that the first signature in a response refers to the root object. This flaw allows an attacker to inject a signed XML element, bypassing signature verification for subsequent elements. By exploiting this, an attacker could create a fraudulent SAML response that impersonates any SPID or CIE user, using a legitimately signed XML element from the Identity Provider's public metadata.

Impact

Successful exploitation allows for arbitrary SAML responses to be accepted by SPs using vulnerable SDKs, enabling impersonation of any SPID or CIE user.

Reproduction

To reproduce this vulnerability, clone the 'spid-aspnetcore' repository, which shares the same SAML response verification logic. Navigate to the example web application directory and modify the 'appsettings.json' file to include a custom domain and port. After building and running the application, initiate a SPID login with the 'DemoSpid' Identity Provider. Intercept the SAML response with an HTTP proxy, decode the SAML response, and inject a signed assertion with modified attributes. After re-encoding and sending the modified response, observe the successful login, demonstrating the vulnerability.

Remediation

Users are advised to upgrade to version 2.1.0, where this vulnerability has been patched.