GitLab and NetApp Products SAML Authentication Bypass Vulnerability in Ruby SAML Library

A critical authentication bypass vulnerability has been identified in the Ruby SAML library, which is used for SAML single sign-on (SSO) authentication. This vulnerability exists in Ruby SAML versions prior to 1.12.4 and 1.13.0 prior to 1.18.0. The issue arises from a parser differential between ReXML and Nokogiri, which can be exploited to execute a Signature Wrapping attack, allowing an attacker to impersonate users. This vulnerability has been acknowledged by GitHub and is present in GitLab deployments with SAML enabled.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling attackers to impersonate users. In the case of GitLab, this exploitation can be escalated to gain unauthenticated admin access.

Reproduction

The vulnerability can be reproduced by sending a crafted SAML response that exploits the parser differential between ReXML and Nokogiri. This can be done by introducing a duplicate namespace declaration in the XML signature, which REXML will mishandle, creating a false digest value. This forged signature can then be used to bypass signature validation and authenticate as another user.

Remediation

Users are advised to update to Ruby SAML version 1.18.0 or later. GitLab has released a patch in versions 17.9.2, 17.8.5, and 17.7.7. NetApp products affected by this vulnerability should also be updated.