Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
symantecSymantec Security ResponseSMNTC-1450
HistoryMay 25, 2018 - 8:00 a.m.

SA167: SAML Authentication Bypass

2018-05-2508:00:00
Symantec Security Response
22

EPSS

0.004

Percentile

74.6%

JSON

SUMMARY

When configured to authenticate network users with a SAML authentication realm, Symantec ASG and ProxySG incorrectly handle SAML responses that have XML nodes with comments. A remote attacker can modify a valid SAML response without invalidating its cryptographic signature to bypass SAML authentication security controls.

AFFECTED PRODUCTS

The following products are vulnerable:

Advanced Secure Gateway

CVE |Affected Version(s)|Remediation
All CVEs | 6.7 | Upgrade to 6.7.4.130.
6.6 | Upgrade to 6.6.5.17.

ProxySG

CVE |Affected Version(s)|Remediation
All CVEs | 6.7 | Upgrade to 6.7.4.130.
6.6 | Upgrade to 6.6.5.17.
6.5 | Upgrade to 6.5.10.14.

ADDITIONAL PRODUCT INFORMATION

ASG and ProxySG are only vulnerable when authenticating network users in intercepted proxy traffic with a SAML authentication realm. This vulnerability does not affect administrator user authentication for the ASG and ProxySG management consoles.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis
Director
General Auth Connector Login Application
HSM Agent for the Luna SP
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Malware Analysis
Management Center
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
Reporter Security Analytics
SSL Visibility
X-Series XOS
Unified Agent

The following products are under investigation:
Norman Shark Industrial Control System Protection

ISSUES

CVE-2018-5241

Severity / CVSSv2 | Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) References| SecurityFocus: BID 104282 / NVD: CVE-2018-5241 Impact| Security control bypass Description | ASG and ProxySG have a SAML authentication bypass vulnerability. The appliances can be configured with a SAML authentication realm to authenticate network users in intercepted proxy traffic. When parsing SAML responses, ASG and ProxySG incorrectly handle XML nodes with comments. A remote attacker can modify a valid SAML response without invalidating its cryptographic signature. This may allow the attacker to bypass user authentication security controls in ASG and ProxySG.

REFERENCES

Duo Finds SAML Vulnerabilities Affecting Multiple Implementations - <https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations&gt;
CERT VU#475445 - <https://www.kb.cert.org/vuls/id/475445&gt;

REVISION

2018-11-06 A fix for ProxySG 6.5 is available in 6.5.10.14. Advisory Status moved to Closed.
2018-08-04 A fix for ProxySG 6.6 and ASG 6.6 is available in 6.6.5.17. Director is not vulnerable. Added SecurityFocus reference.
2018-07-23 A fix for ProxySG 6.7 and ASG 6.7 is available in 6.7.4.130.
2018-06-04 Security Analytics is not vulnerable.
2018-05-25 initial public release

Related

nvd 1
cvelist 1
cve 1
prion 1
nvd
nvd
CVE-2018-5241
2018-05-29 13:29:00
cvelist
cvelist
CVE-2018-5241
2018-05-29 13:00:00
cve
cve
CVE-2018-5241
2018-05-29 13:29:00
prion
prion
Authentication flaw
2018-05-29 13:29:00

EPSS

0.004

Percentile

74.6%

JSON
Related for SMNTC-1450
nvd1cvelist1cve1prion1