Golang XML parser vulnerability could enable SAML authentication bypass

Three critical bugs have been discovered with no patch available at present

Close-up of code being parsed

Security researchers have disclosed three critical vulnerabilities within the XML parser of the Go programming language that could allow hackers to completely bypass the SAML authentication that features in many popular web applications.

The flaws were discovered earlier in the year by cloud collaboration provider Mattermost. It has been working alongside Go's internal security team since August on addressing these vulnerabilities, as well as with organisations and individuals downstream projects.

All three revolve around the way Go processes XML documents over multiple rounds of parsing, allowing attackers to use specific XML markup language to trick systems. According to a blog post by Juho Nurminen, product security engineer at Mattermost, there are several potential security problems created by these flaws, with one of the most significant being the risk it introduces to the integrity of the web-based SAML single sign-on (SSO) standard.

The first flaw, CVE-2020-29509, is an XML attribute instability in Go's encoding/xml. An affected SAML implementation can interpret a SAML Assertion as signed, but then proceed to read values from an unsigned part of the same document due to namespace mutations between signature verification and data access. This can lead to full authentication bypass and arbitrary privilege escalation within the scope of a SAML Service Provider.

The other two vulnerabilities - designated CVE-2020-29510 and CVE-2020-29511, respectively - can also be exploited to fully bypass authentication. The former is an XML directive instability while the latter is an XML element instability.

"As evident from the titles, the vulnerabilities are closely related. The core issue is the same in all three: maliciously crafted XML markup mutates during round-trips through Go’s decoder and encoder implementations," said Nurminen. “In other words, passing XML through Go’s decoder and encoder doesn’t preserve its semantics."

"Because of these vulnerabilities, Go-based SAML implementations are in many cases open to tampering by an attacker: by injecting malicious markup to a correctly signed SAML message, it’s possible to make it still appear correctly signed, but change its semantics to convey a different identity than the original document."

"The actual impact of these XML round-trip vulnerabilities of course varies by use case," he said, "but in SAML SSO it’s easy to understand: if your SAML messages can be altered to say you’re someone you’re not, the result is arbitrary privilege escalation within the scope of the SAML Service Provider, or in some cases even complete authentication bypass."

At present, it has not been possible to patch the vulnerabilities, despite significant efforts by the Go security team, although the Go team has reported that it hopes to introduce some changes in future versions of the language to address them.

There are, however, mitigations in place. Mattermost identified three major open-source SAML implementations which are vulnerable to these flaws:  Dex SAML Connector, github.com/crewjam/saml and github.com/russellhaering/gosaml2. The company has already collaborated with the maintainers of these projects, and patches are now available for all three. Mattermost says it has also privately contacted the maintainers of "significant applications and products" that rely on impacted SAML implementations, and any organisations within that group are advised to start patching as soon as possible.

In addition, it has also open-sourced an XML validation library that can be used as a workaround until a more permanent solution is established. Nurminen noted that refactoring code to avoid encoding round-trips may be an acceptable long-term solution, although he conceded that this would not be possible in all cases.  

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

The 9 best courses for R
programming languages

The 9 best courses for R

21 Oct 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Samsung unveils open source software for CXL Memory platform
Hardware

Samsung unveils open source software for CXL Memory platform

7 Oct 2021
Hackers use open source tools to steal usernames and passwords
open source

Hackers use open source tools to steal usernames and passwords

8 Sep 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021