A new critical GitLab vulnerability within RUBY-SAML and OmniAuth-SAML libraries to bypass SAML authentication was disclosed. If you are using GitLab, read this Cybersecurity Threat Advisory to learn how to mitigate your risk.
What is the threat?
This vulnerability allows attackers to bypass SAML authentication mechanisms to gain access to GitLab, and other systems such as Ruby-SAML and OmniAuth-SAML libraries. Bad actors can exploit a flaw within the verification of digital signatures used to protect SAML assertations, manipulate the SAML response, and bypass security checks.
Why is this noteworthy?
SAML (Security Assertation Markup Language) is a widely used protocol for exchanging authentication and authorization data between parties. The security of this protocol hinges on the digital signatures and assertations to ensure the authenticity and integrity of the SAML responses.
This vulnerability allows an attacker to insert their own digest value within the samlp:extensions element to ensure their XPath expression is picked up by the XPath parser first. The parser looks for a digest value within the namespace, but it will look for any digest value on the page instead of looking in a specific location such as the SignedInfo block where it normally resides. Bypassing the signature verification allows the attacker to authenticate an assertation provided by them and thus skip the authentication process.
What is the exposure or risk?
Gitlab issued a patch in September 2024, however organizations using a similar process may be affected by the vulnerability. Ruby-SAML and OmniAuth-SAML are both popular libraries used for authentication and may be used in other software.
What are the recommendations?
Barracuda recommends the following action to protect your environment against this vulnerability:
- Update Ruby-SAML or OmniAUTH-SAML libraries to the latest release.
- Review and harden SAML settings, including validation of signatures.
- Ensure the integrity of SAML assertions to reduce the risk of an attacker manipulating authentication tokens.
References
For more in-depth information about the recommendations, please visit the following links:
- https://blog.projectdiscovery.io/ruby-saml-gitlab-auth-bypass/
- https://securityonline.info/researchers-detail-ruby-saml-gitlab-flaw-cve-2024-45409-allows-saml-authentication-bypass/?&web_view=true
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
