Critical Golang XML Parser Bugs Can Cause SAML Authentication Bypass
This week, Mattermost, in coordination with Golang has disclosed 3 critical vulnerabilities within Go language’s XML parser.
If exploited, these vulnerabilities, also impacting multiple Go-based SAML implementations, can lead to a complete bypass of SAML authentication which powers prominent web applications today.
XML parser doesn’t guarantee integrity
The XML round-trip vulnerabilities listed below lurk in Golang’s XML language parser encoding/xml whichdoesn’t return reliable results when encoding and decoding XML input.
This means an XML markup when encoded and decoded using the parser may return inconsistent and unexpected results.
- CVE-2020-29509: XML attribute instability in Go’s encoding/xml
- CVE-2020-29510: XML directive instability in Go’s encoding/xml
- CVE-2020-29511: XML element instability in Go’s encoding/xml
Also Read: How To Make A PDPC Complaint: With Its Importance And Impact
“As evident from the titles, the vulnerabilities are closely related. The core issue is the same in all three: maliciously crafted XML markup mutates during round-trips through Go’s decoder and encoder implementations,” said Juho Nurminen, Product Security Engineer at Mattermost.
Nurminen explained this means if an application is using the XML parser, the encoder and decoder wouldn’t preserve the semantics of the original markup.
“If your application processes XML and, while processing it, parses markup that’s the output of at least one preceding round of parsing and serialization, you can no longer assume the output of that parsing matches the output from the preceding round. In other words, passing XML through Go’s decoder and encoder doesn’t preserve its semantics,” explained Nurminen.
One of the partial fixes made for the vulnerabilities demonstrates the inconsistencies that can occur during XML parsing due to these flaws.
For example, `<:name>` would have the colon stripped, and likewise, an XML tag with an attribute containing an empty value (“”) would be rendered without the attribute altogether during serialization.
Complete SAML authentication bypass possible
While at a first glance, this may seem like a trivial bug, Mattermost stresses that multiple applications expect semantic integrity and these vulnerabilities can have serious consequences.
For example, various SAML implementations, relying on the said XML parser can be tricked by attackers to bypass SAML authentication altogether.
Security Assertion Markup Language (SAML) is a web authentication standard used by multiple, prominent websites and services to facilitate easier online sign-in that uses XML.
“Because of these vulnerabilities, Go-based SAML implementations are in many cases open to tampering by an attacker: by injecting malicious markup to a correctly signed SAML message, it’s possible to make it still appear correctly signed, but change its semantics to convey a different identity than the original document,” warned Mattermost.
Should a mission-critical application be using the XML parser, the impact within an SAML SSO system can be privilege escalation or authentication bypass, depending on how the application is using the vulnerable XML parser.
Also Read: Deemed Consent PDPA: How Do Businesses Comply?
No patch available for the parser itself
It is worth noting, Go security team has advised at this time, there is no patch available to adequately patch these vulnerabilities.
The fix commit described above also states that round-trip stability is not a supported security property of encoding/xml, making the fix alone insufficient to guarantee XML parsing reliability.
However, fixed versions have been released for some of the individual Go-based SAML projects, such as:
- Dex IDP version 2.27.0
- github.com/crewjam/saml version 0.4.3
- github.com/russellhaering/gosaml2 version 0.6.0
Additionally, Mattermost has provided a tool “xml-roundtrip-validator” that can be used as a workaround when incorporating XML validation in your application.
The complete findings by Mattermost researchers and the disclosure timeline are provided in their blog post.
0 Comments