CVE-2020-5268

Subject Confirmation Method not validated in Saml2 Authentication Services for ASP.NET

Severity Score

7.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Saml2 Authentication Services for ASP.NET versions before 1.0.2, and between 2.0.0 and 2.6.0, there is a vulnerability in how tokens are validated in some cases. Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved. The Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a token to create a log in session. This vulnerability is patched in versions 1.0.2 and 2.7.0.

En Saml2 Authentication Services para las versiones ASP.NET en versiones anteriores a la 1.0.2, y entre 2.0.0 y 2.6.0, existe una vulnerabilidad en la forma en que se validan los tokens en algunos casos. Los tokens Saml2 generalmente se usan como token de portador: se supone que una persona que llama que presenta un token es el sujeto del token. También hay soporte en el protocolo Saml2 para emitir tokens vinculados a un sujeto a través de otros medios, p. titular de la clave donde debe demostrarse la posesión de una clave privada. La biblioteca Sustainsys.Saml2 trata incorrectamente todos los tokens entrantes como tokens de portador, aunque tengan otro método de confirmación de sujeto especificado. Esto podría ser utilizado por un atacante que podría obtener acceso a los tokens Saml2 con otro método de confirmación de sujeto que el portador. El atacante podría usar ese token para crear una sesión de inicio de sesión. Esta vulnerabilidad está parcheada en las versiones 1.0.2 y 2.7.0.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-01-02 CVE Reserved
2020-04-21 CVE Published
2023-03-07 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-287: Improper Authentication
CWE-303: Incorrect Implementation of Authentication Algorithm

CAPEC

References (4)

URL	Tag	Source
https://github.com/Sustainsys/Saml2/issues/712	Third Party Advisory
https://github.com/Sustainsys/Saml2/security/advisories/GHSA-9475-xg6m-j7pw	Mitigation
https://www.nuget.org/packages/Sustainsys.Saml2	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5241	2020-05-06

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sustainsys Search vendor "Sustainsys"		Saml2 Search vendor "Sustainsys" for product "Saml2"				< 1.0.2 Search vendor "Sustainsys" for product "Saml2" and version " < 1.0.2"		-		Affected
Sustainsys Search vendor "Sustainsys"		Saml2 Search vendor "Sustainsys" for product "Saml2"				>= 2.0.0 < 2.7.0 Search vendor "Sustainsys" for product "Saml2" and version " >= 2.0.0 < 2.7.0"		-		Affected