Identity Server XSS vulnerability possible by manipulating the AssertionConsumerService URL in SAMLRequest (CVE-2016-5751)

  • 7017808
  • 04-Jul-2016
  • 29-Aug-2016

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
Access Manager Identity Server
CVE-2016-5751

Situation

Access Manager's Identity Server processes incoming SAML requests from trusted providers. WHen handling such requests, a number of validations are performed on the request parameters as well as signature. If the signature check is disabled however, the AssertionConsumerService (ACS) parameter may be may be used to redirect users to a rogue target.

The following SAML AuthnRequest shows how this cross site scription (XSS) vulnerability may be exploited - the SAML SP in this case has added the ACS parameter that will execute a script. The IDP will process the request and after authenticating the user, the IDP will generate an assertion to send to this ACS URL. If the browser can execute javascript, the script embdded within the ACS URL will be executed:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://customerX--XXX.XXXX.my.salesforce.com?so=00D8E0000008ykN&quot;/&gt;&lt;script&gt;alert(1);&lt;/script&gt;"
:

Without any check on this URL, the user information can be posted through auto-post form cross-domain. Session id is stored properly, so it can't be stolen, but the following attack scenario is possible:

- user is tricked to visit a site controlled by an attacker (it may be an advertisement in iframe) while authorised with SSO
- XSS is executed in the context of SSO
- user is presented with a fake password form, credentials are received by an attacker

Resolution

Apply 4.2.2 for NAM 4.2 platform; or 4.1.2 HF1 for NAM 4.1 platform.

To workaround the issue, enable signature validation on incoming AuthnRequests.

Cause

No validation of ACS URL.