xml-crypto Authentication Bypass Vulnerability in SAML Processing

A vulnerability in the xml-crypto library for Node.js allows attackers to bypass authentication and authorization checks in systems that use this library to verify signed XML, such as SAML responses. The issue is present in xml-crypto versions through 6.0.0. The vulnerability arises because the library's signature verification process can be manipulated to accept forged SAML assertions, potentially leading to unauthorized access and privilege escalation.

Impact

Exploitation of this vulnerability allows for authentication bypass, with attackers able to gain access to user accounts, including administrative privileges, in applications that rely on SAML-based single sign-on.

Reproduction

To reproduce this vulnerability, first, ensure that the application is using an affected version of xml-crypto. Then, intercept a SAML response being sent to the application's Assertion Consumer Service (ACS) URL. Modify the response by adding a comment with a forged digest value into the DigestValue node, and ensure that the SAML response is canonicalized before the signature verification is performed. Finally, send the modified SAML response to the ACS URL. The application will validate the response and authenticate the user, bypassing the intended security checks.

Remediation

Users should upgrade to xml-crypto versions 6.0.1, 3.2.1, or 2.1.6, all of which contain the necessary fix. After updating, it's recommended to review SAML response handling to ensure that the application correctly validates the structure and integrity of the received assertions.