You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Background: On 2024-09-10, the vulnerability CVE-2024-45409 in the Ruby Gem ruby-saml used by the ERA authentication process. The vulnerability allows an "unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system." The scope includes anyone with a CCID and ability to login to several other CCID-based web apps (or access to the communications between the UofA idP and a user.
The contents of the signed saml is logged for each authentication attempt. A decision was made to do forensic audit of the logged saml looking for attempts to exploit the ruby-saml CVE-2024-45409 vulnerability by testing the logged saml for signs of forgery outlined by the ruby-saml patch for CVE-2024-45409.
The rough process outline
filter logs for {"SAMLResponse"=>".."", "subdomain"=>"era", "provider"=>"saml"}
base64 decode SAMLResponse value to get SAML XML
check SAMLResponse for the signature wrapping attack and signs of forgery related. Use ruby-saml patch as a template for what to test.
The text was updated successfully, but these errors were encountered:
Background: On 2024-09-10, the vulnerability CVE-2024-45409 in the Ruby Gem ruby-saml used by the ERA authentication process. The vulnerability allows an "unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system." The scope includes anyone with a CCID and ability to login to several other CCID-based web apps (or access to the communications between the UofA idP and a user.
The contents of the signed saml is logged for each authentication attempt. A decision was made to do forensic audit of the logged saml looking for attempts to exploit the ruby-saml CVE-2024-45409 vulnerability by testing the logged saml for signs of forgery outlined by the ruby-saml patch for CVE-2024-45409.
The rough process outline
The text was updated successfully, but these errors were encountered: