GitLab Omniauth-SAML Authentication Bypass Vulnerability in Ruby-SAML Library

A critical authentication bypass vulnerability has been identified in the Ruby-SAML library, which is used by GitLab for SAML single sign-on (SSO) authentication. This vulnerability, present in Ruby-SAML versions prior to 1.12.4 and 1.13.0 through 1.18.0, arises from a parser differential between REXML and Nokogiri, which can be exploited to execute a Signature Wrapping attack. As a result, an attacker with access to a valid signed SAML document can impersonate another user, potentially leading to unauthorized access or data manipulation.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling an attacker to log in as any user, including administrative accounts, on GitLab instances using SAML authentication.

Reproduction

The vulnerability can be reproduced by sending a crafted SAML response that exploits the parser differential between REXML and Nokogiri. This can be done by manipulating the XML structure, such as introducing a DOCTYPE declaration that confuses the namespace handling, allowing a forged Signature element to be accepted during the validation process. Once the SAML response is processed, the attacker can bypass authentication and gain access as the impersonated user.

Remediation

Users of the Ruby-SAML library should update to version 1.18.0, which addresses the vulnerability by ensuring consistent parsing and validation of SAML documents. GitLab has released versions 17.9.2, 17.8.5, and 17.7.7 that include this patch. Affected GitLab customers should upgrade to one of these versions immediately.