XML Signature Wrapping vulnerability in SAML protocol

  • 7011305
  • 05-Nov-2012
  • 05-Nov-2012

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Identity Server
CVE-2011-1411

Situation

Access Manager setup as a SAML2 Identity Provider with federated relationships to SAML2 Service Providers. The SAML protocol includes libraries included with Access Manager 3.2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack" defined at https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf.

It should be impossible to tamper with a SAML assertion generated by the SAML Identity server for the signature verification to succeed. However, with this vulnerability, the signature from actual assertion can be moved in such a way that we still get the signature validated for that assertion.

Resolution

Apply Access Manager 3.2 SUpport Pack 1.

The signature validation can be turned on or off by having the following context init parameter in web.xml.

<context-param>
<param-name>checkForXSWAttacks</param-name>
<param-value>false</param-value>
</context-param>

By default, this flag is on. The assertion and other signed xml are verified for any possible tampering before consumption.