SA167: SAML Authentication Bypass
SUMMARY
When configured to authenticate network users with a SAML authentication realm, Symantec ASG and ProxySG incorrectly handle SAML responses that have XML nodes with comments. A remote attacker can modify a valid SAML response without invalidating its cryptographic signature to bypass SAML authentication security controls.
AFFECTED PRODUCTS
The following products are vulnerable:
| Advanced Secure Gateway | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs | 6.7 | Upgrade to 6.7.4.130. |
| 6.6 | Upgrade to 6.6.5.17. | |
| ProxySG | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs | 6.7 | Upgrade to 6.7.4.130. |
| 6.6 | Upgrade to 6.6.5.17. | |
| 6.5 | Upgrade to 6.5.10.14. | |
ADDITIONAL PRODUCT INFORMATION
ASG and ProxySG are only vulnerable when authenticating network users in intercepted proxy traffic with a SAML authentication realm. This vulnerability does not affect administrator user authentication for the ASG and ProxySG management consoles.
The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis
Director
General Auth Connector Login Application
HSM Agent for the Luna SP
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Malware Analysis
Management Center
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
Reporter
Security Analytics
SSL Visibility
X-Series XOS
Unified Agent
The following products are under investigation:
Norman Shark Industrial Control System Protection
ISSUES
| CVE-2018-5241 | |
|---|---|
| Severity / CVSSv2 | Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) |
| References | SecurityFocus: BID 104282 / NVD: CVE-2018-5241 |
| Impact | Security control bypass |
| Description | ASG and ProxySG have a SAML authentication bypass vulnerability. The appliances can be configured with a SAML authentication realm to authenticate network users in intercepted proxy traffic. When parsing SAML responses, ASG and ProxySG incorrectly handle XML nodes with comments. A remote attacker can modify a valid SAML response without invalidating its cryptographic signature. This may allow the attacker to bypass user authentication security controls in ASG and ProxySG. |
REFERENCES
Duo Finds SAML Vulnerabilities Affecting Multiple Implementations - https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
CERT VU#475445 - https://www.kb.cert.org/vuls/id/475445
REVISION
2018-11-06 A fix for ProxySG 6.5 is available in 6.5.10.14. Advisory Status moved to Closed.
2018-08-04 A fix for ProxySG 6.6 and ASG 6.6 is available in 6.6.5.17. Director is not vulnerable. Added SecurityFocus reference.
2018-07-23 A fix for ProxySG 6.7 and ASG 6.7 is available in 6.7.4.130.
2018-06-04 Security Analytics is not vulnerable.
2018-05-25 initial public release