ruby-saml Authentication Bypass Vulnerability in Libxml2 Canonicalization Process Allowing Signature Wrapping Attack

A critical authentication bypass vulnerability has been identified in the ruby-saml library, specifically in versions prior to 1.18.0. The issue arises from the libxml2 canonicalization process utilized by Nokogiri for document transformation, which can be exploited to execute a Signature Wrapping attack. When libxml2's canonicalization is applied to invalid XML input, it may return an empty string instead of a canonicalized node. The ruby-saml library then incorrectly computes the DigestValue over this empty string, assuming that canonicalization was successful. This vulnerability allows an attacker to manipulate signature validation and potentially bypass authentication by replaying signatures on an empty canonical form.

Impact

Exploitation of this vulnerability leads to a bypass of Digest and Signature validation, allowing for authentication bypass. This could be exploited to manipulate signature validation processes, potentially leading to unauthorized actions or access.

Remediation

Users are advised to update ruby-saml to version 1.18.0 or later, where this vulnerability has been fixed.