Recently Discovered SAML Auth. Bypass Vulnerabilities

By Greg Keller Posted March 2, 2018

Notice On Recently Discovered SAML Authentication Bypass Vulnerabilities
Notice On Recently Discovered SAML Authentication Bypass Vulnerabilities

On February 27, 2018, Duo Security announced they had discovered vulnerabilities in these SAML libraries:
CVE-2017-11427 – OneLogin’s “python-saml”
CVE-2017-11428 – OneLogin’s “ruby-saml”
CVE-2017-11429 – Clever’s “saml2-js”
CVE-2017-11430 – “OmniAuth-SAML”
CVE-2018-0489 – Shibboleth OpenSAML C++
You may also refer to the Vulnerability Notes Database which has an updated list of affected/not affected SAML toolkit vendors. Please be sure to review this occasionally.
Please be informed that JumpCloud, as an Identity Provider (e.g. IdP) offering SAML authentication services, does not deploy or leverage any of the affected software mentioned in Duo’s exploit report. Further, we have analyzed our own SAML infrastructure to determine if it fell into any of these vulnerabilities which produced no need for modification to our implementation. No action is required for customers of JumpCloud.  
Should you wish to understand exactly how the vulnerability can be exploited, specifically as it pertains to exploits on the Service Provider (SP) side of the SAML transaction, we recommend Kelby Ludwig’s excellent breakdown found on Duo Security’s blog. We also heavily recommend communicating with your Service Providers to ensure they have no known issues or are using the documented affected SAML libraries. 
If you have any additional questions or concerns, please feel free to contact our Customer Success team and we’ll be happy to speak with you.

Greg Keller

Greg is JumpCloud's Chief Product Officer, overseeing the product management team, product vision and go-to-market execution for the company's Directory-as-a-Service offering. The SaaS-based platform re-imagines Active Directory and LDAP for the cloud era, securely connecting and managing employees, their devices and IT applications.

Recent Posts