SA167: SAML Authentication Bypass

SYMSA1450
Last Updated November 06, 2018
Initial Publication Date May 25, 2018
Copy Article Title/URL
Feedback
Subscribe
  • Status: Closed
  • Severity: Medium
  • CVSS Base Score: CVSS v2: 6.4

When configured to authenticate network users with a SAML authentication realm, Symantec ASG and ProxySG incorrectly handle SAML responses that have XML nodes with comments.  A remote attacker can modify a valid SAML response without invalidating its cryptographic signature to bypass SAML authentication security controls.

The following products are vulnerable:

Advanced Secure Gateway
CVE Affected Version(s) Remediation
All CVEs 6.7 Upgrade to 6.7.4.130.
6.6 Upgrade to 6.6.5.17.

 

ProxySG
CVE Affected Version(s) Remediation
All CVEs 6.7 Upgrade to 6.7.4.130.
6.6 Upgrade to 6.6.5.17.
6.5 Upgrade to 6.5.10.14.

ASG and ProxySG are only vulnerable when authenticating network users in intercepted proxy traffic with a SAML authentication realm.  This vulnerability does not affect administrator user authentication for the ASG and ProxySG management consoles.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis
Director
General Auth Connector Login Application
HSM Agent for the Luna SP
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Malware Analysis
Management Center
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
Reporter
Security Analytics
SSL Visibility
X-Series XOS
Unified Agent

The following products are under investigation:
Norman Shark Industrial Control System Protection

CVE-2018-5241
Severity / CVSSv2 Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
References SecurityFocus: BID 104282 / NVD: CVE-2018-5241
Impact Security control bypass
Description ASG and ProxySG have a SAML authentication bypass vulnerability.  The appliances can be configured with a SAML authentication realm to authenticate network users in intercepted proxy traffic. When parsing SAML responses, ASG and ProxySG incorrectly handle XML nodes with comments.  A remote attacker can modify a valid SAML response without invalidating its cryptographic signature.  This may allow the attacker to bypass user authentication security controls in ASG and ProxySG.

Duo Finds SAML Vulnerabilities Affecting Multiple Implementations - https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
CERT VU#475445 - https://www.kb.cert.org/vuls/id/475445
 

2018-11-06 A fix for ProxySG 6.5 is available in 6.5.10.14. Advisory Status moved to Closed.
2018-08-04 A fix for ProxySG 6.6 and ASG 6.6 is available in 6.6.5.17.  Director is not vulnerable.  Added SecurityFocus reference.
2018-07-23 A fix for ProxySG 6.7 and ASG 6.7 is available in 6.7.4.130.
2018-06-04 Security Analytics is not vulnerable.
2018-05-25 initial public release

Legacy ID: SA167

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.