Lasso bug roped up and corralled by Enterprise Application Access developers
EAA allows enterprise users to make access control and authentication decisions based on identity information offered by a third-party identity provider.
Developers of EAA took advantage of the Lasso open source library to bolt on support for the Security Assertion Markup Language (SAML) v2.0 authentication protocol – a technology widely used by identity providers.
The reliance on Lasso left EAA exposed to the effects of a recently discovered XML Signature Wrapping (XSW) vulnerability in the library. XML Signature Wrapping is a known class of vulnerability (previous examples here, here, and here).
The Lasso vulnerability – tracked as CVE-2021-28091 – could allow an attacker to doctor a valid SAML response so that it contains an unsigned SAML assertion.
The flaw was given a CVSS score of 8.2, towards the top end of the scale.
In the case of EAA, the reliance on Lasso set up the preconditions for a possible exploit where an attacker impersonates another user of the targeted system.
Exploitation would likely take the form of some form of manipulator-in-the-middle attack or, alternatively, through the abuse of compromised credentials obtained through phishing.
Fortunately, incident response experts at Akamai and developers at Lasso were able to work together on a coordinated disclosure process while a patch was developed.
The fix, explained in some depth in Akamai’s technical blog post, involves applying tighter cryptographic checks and controls on what constitutes a valid request.
The initial mitigations proposed by developers in February turned out to be incomplete, prompting Akamai techies to suggest a more complete resolution that has since been adopted.
Sysadmins who rely on Lasso for their SAML authentication should patch as soon as possible, Akamai advises.