Forensic audit of ERA logs for CVE-2024-45409 (Ruby-SAML SAML Response Forgery Vulnerability) exploitation

[jefferya]

Background: On 2024-09-10, the vulnerability CVE-2024-45409 in the Ruby Gem ruby-saml used by the ERA authentication process. The vulnerability allows an "unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system." The scope includes anyone with a CCID and ability to login to several other CCID-based web apps (or access to the communications between the UofA idP and a user.

The contents of the signed saml is logged for each authentication attempt. A decision was made to do forensic audit of the logged saml looking for attempts to exploit the ruby-saml CVE-2024-45409 vulnerability by testing the logged saml for signs of forgery outlined by the ruby-saml patch for CVE-2024-45409.

The rough process outline

• filter logs for {"SAMLResponse"=>".."", "subdomain"=>"era", "provider"=>"saml"}
• base64 decode SAMLResponse value to get SAML XML
• check SAMLResponse for the signature wrapping attack and signs of forgery related. Use ruby-saml patch as a template for what to test.