A high-severity vulnerability discovered recently in an open source library named Lasso has been found to impact products from Cisco and Akamai, as well as Linux distributions.
Lasso — an acronym for Liberty Alliance Single Sign On — is a C library that implements Liberty Alliance and SAML (Security Assertion Markup Language) standards. It defines processes for federated identities, single sign-on (SSO) and other protocols.
The vulnerability, tracked as CVE-2021-28091, was initially reported to Akamai as it was discovered in the company’s Enterprise Application Access (EAA) product, which uses Lasso to verify SAML assertions for applications when a customer configures SAML authentication with third-party identity providers.
Further analysis by Akamai showed that the flaw, which allows an attacker to impersonate valid users, was introduced by the use of Lasso and products from other vendors are affected as well.
“This vulnerability potentially allowed actors with access to a well-formed SAML response for an organization–typically authenticated users, but potentially compromised endpoints or malicious proxies–to modify their identity and impersonate another user within the same organization,” Akamai explained.
It added, “To exploit this issue, the attacker would need to have had a valid credential for an [identity provider] or have obtained the credentials to authenticate as a valid user. We categorize the potential impact in four ways – enabling impersonated network access — both unauthenticated and authenticated — impersonated application access, and an alternative Lasso dependency for applications that rely on the Lasso library.”
Akamai determined that the vulnerability also impacts the SOGo and PacketFence packages maintained by Inverse, which Akamai acquired recently.
The Best Buy Enterprise Information Protection team and Sam Tinklenberg have been credited for finding the vulnerability. They informed Akamai about its existence on February 23, 2021.
Akamai has made available technical information about the issue. The company noted that the same vulnerability, known as XML Signature Wrapping, has been reported several times over the past years, and it appears to have existed in the Lasso codebase since 2005.
Cisco has also confirmed the use of the Lasso library and the networking giant is working on determining which of its products are impacted. Currently, Cisco’s advisory lists Adaptive Security Appliance (ASA), Content Security Management Appliance (SMA), Email Security Appliance (ESA), FXOS software, Web Security Appliance (WSA), and Firepower Threat Defense (FTD) as being affected.
Other vendors may be affected as well. The CERT Coordination Center (CERT/CC) at Carnegie Mellon University was involved in the vulnerability disclosure process, but it has yet to release its own advisory. CERT/CC advisories typically contain a list of all vendors that are or may be impacted.
Lasso developers patched the vulnerability on June 1 with the release of version 2.7.0. Akamai released patches for its EAA product in early March and Cisco has also started releasing fixes.