In this post, we break down an important security vulnerability, CVE-2024-1735, in the popular armeria-saml library. If your project uses armeria-saml version less than 1.27.2, you could be at risk. Here’s how the vulnerability works, how attackers can exploit it, and what you should do to fix it.

What is CVE-2024-1735?

armeria-saml is a library that implements SAML (Security Assertion Markup Language) authentication in Java applications. It’s widely used in enterprise setups that need single sign-on (SSO) and federated identity. In armeria-saml versions before 1.27.2, a critical authentication bypass flaw has been discovered. This allows an attacker to send specially crafted SAML messages and bypass authentication checks entirely.

How Does the Vulnerability Work?

The vulnerability exists in the logic that parses and validates incoming SAML assertions. In affected versions, attackers can craft a SAML response where authentication gets incorrectly validated as successful, regardless of the actual assertion.

Here’s a simplified breakdown

- Normally, the application expects a signed, valid SAML assertion from a trusted Identity Provider (IdP).

Due to improper verification (in armeria-saml < 1.27.2), an attacker sends a malicious SAML message.

- armeria-saml fails to properly check the signature or skips certain validation steps, accepting the assertion as valid.

Example: Exploit SAML Assertion

Here’s a code snippet showing how this might be exploited, and how vulnerable code looks (simplified):

// Vulnerable usage (prior to 1.27.2)
SamlMessage message = SamlMessage.parse(receivedSamlMessage);
AuthenticationDetails details = SamlValidator.validate(message);
if (details.isAuthenticated()) {
    // Let user in!
}

An attacker can send a SAML message with a manipulated assertion like

<saml:Assertion>
  <saml:Subject>
    <saml:NameID>attacker@evil.com</saml:NameID>
  </saml:Subject>
  <saml:Conditions NotBefore="..." NotOnOrAfter="..."></saml:Conditions>
  <!-- Omit or alter signature block! -->
</saml:Assertion>

In vulnerable versions, if signature validation is missing or improperly checked, the attacker is authenticated.

How Do I Fix This?

There’s only one *correct* way: Upgrade armeria-saml to at least 1.27.2.

In Maven

<dependency>
  <groupId>com.linecorp.armeria</groupId>
  <artifactId>armeria-saml</artifactId>
  <version>1.27.2</version>
</dependency>

In Gradle

implementation 'com.linecorp.armeria:armeria-saml:1.27.2'

Make sure to rebuild and redeploy all applications using the outdated library.

Important References

- GitHub Security Advisory for CVE-2024-1735
- armeria-saml GitHub Repository
- SAML Specification
- OSS Security Mailing List Discussion

Conclusion

CVE-2024-1735 is a critical vulnerability that can put your users and data at serious risk. If you use armeria-saml, upgrade now. Always validate and test that your identity provider flows are secure.

Stay safe, keep your software up-to-date, and patch vulnerable dependencies!

*If you found this guide useful, share it to help others secure their systems. Got questions? Drop a comment below!*

Timeline

Published on: 02/26/2024 16:27:53 UTC
Last modified on: 02/26/2024 16:32:25 UTC