Ruby affected by CVE-2024-45409

CVE-2024-45409 is a critical vulnerability in the Ruby-SAML (affecting versions up to 12.2 and from 1.13.0 to 1.16.0) and OmniAuth SAML libraries. It hence effectively poses a security risk for unpatched versions of GitLab (read more on the GitLab blog). This vulnerability arises from improper verification of the SAML Response signature. An attacker with access to any signed SAML document can forge a SAML Response or Assertion with arbitrary contents. This allows the attacker to log in as any user within the vulnerable system. The vulnerability has a CVSS score of 9.8, indicating its critical nature.

How CVE-2024-45409 is being exploited

Attackers exploit CVE-2024-45409 by manipulating the SAML Response. The Ruby-SAML library fails to properly verify the digital signature of the SAML Response. This allows attackers to alter the contents of the SAML Assertion without detection. By forging a SAML Response, attackers can gain unauthorized access to systems that rely on SAML for authentication. Here is an example of how the vulnerability can be exploited:

<Assertion ID="_abc123">
  <Signature>
    <SignedInfo>
      <Reference URI="#_abc123">
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />     
<DigestValue>abc123DigestValue</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>SignedWithPrivateKey</SignatureValue>
  </Signature>
  <!-- Assertion contents -->
</Assertion>

In this example, an attacker can modify the Assertion contents and re-sign it with a forged SignatureValue, bypassing the verification process.

How to fix CVE-2024-45409

To fix CVE-2024-45409, update the Ruby-SAML library to version 1.17.0 or 1.12.3. These versions include patches that properly verify the SAML Response signature. You can update the library by modifying your Gemfile: gem 'ruby-saml', '>= 1.17.0'

Then, run bundle update ruby-saml to apply the update. After updating, verify that the new version is installed correctly (output should show version 1.17.0 or 1.12.3) by running bundle show ruby-saml

Conduct thorough testing to ensure that the update does not break any existing functionality. Focus on the authentication flow that uses SAML. Verify that the SAML Response signature is correctly validated and that unauthorized access is not possible.

You can find the patches and more information on the respective GitHub repository (Patch 1, Patch 2). Also, read up on the related Security Advisory notes. Ensure all systems using the Ruby-SAML library are updated to these versions to mitigate the risk.

How to prevent similar vulnerabilities in the future

• Patch the Ruby-SAML Library: Ensure that the Ruby-SAML library is updated to the latest version where the vulnerability has been patched.
• Strengthen XPath Expressions: Avoid using overly permissive XPath expressions like //ds:DigestValue. Instead, use more specific paths to prevent attackers from smuggling unauthorized elements.
• Verify Digital Signatures: Implement strict validation procedures for digital signatures and digest values to ensure the integrity and authenticity of SAML responses.

Use automated tools to scan for vulnerabilities in your codebase. Educate your development team on secure coding practices and the importance of verifying digital signatures. Additionally, consider using multi-factor authentication (MFA) to add an extra layer of security.

Summary

CVE-2024-45409 is a critical vulnerability in the Ruby-SAML library that allows attackers to forge SAML Responses and gain unauthorized access. Exploitation occurs due to improper verification of the SAML Response signature. Updating to the latest patched versions of the library is essential to mitigate this risk. Preventing similar vulnerabilities involves regular audits, updates, and secure coding practices. GitLab is a high profile service that is vulnerable to CVE-2024-45409 and it is strongly recommended to move to a patched version.