############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: FusionAuth SAML Library [1] # Vendor: FusionAuth [2] # CSNC ID: CSNC-2021-004 # CVE ID: CVE-2021-27736 # Subject: XML External Entity # Risk: High # Effect: Remotely exploitable # Author: Philipp Mao # Date: 2021-4-21 # ############################################################# Introduction: ------------- FusionAuth provides authentication, authorization, and user management for any app. The FusionAuth SAML Library implements SAML v2.0 bindings in Java using JAXB and is employed in the FusionAuth IDP. Compass Security [3] identified a vulnerability that allows remote attackers to forge SAML messages with xml external entities and read files on the filesystem or send network requests to other systems. Affected: --------- Vulnerable: fusionauth-samlv2 <0.5.4 Not vulnerable: fusionauth-samlv2 >=0.5.4 Technical Description --------------------- Unauthenticated users can send forged SAML messages with xml external entities to FusionAuth. FusionAuth will parse the xml external entities and reflect the result on a error page. The forged SAML messges with external entities may be sent in the AuthnRequest or in the LogoutRequest, since neither of these requests necessarily require a signature. Any FusionAuth deployment exposing the SAML endpoint or applications utilizing the fusionauth-samlv2 library are vulnerable. The code which is responsible for parsing the XML is found in the parseFromBytes function [4]. The function initializes javax.xml.parsers.DocumentBuilderFactory without explicitly disabling the document type definitions. ``` private Document parseFromBytes(byte[] bytes) throws SAMLException { DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); try { DocumentBuilder builder = documentBuilderFactory.newDocumentBuilder(); return builder.parse(new ByteArrayInputStream(bytes)); } catch (ParserConfigurationException | SAXException | IOException e) { throw new SAMLException("Unable to parse SAML v2.0 authentication response", e); } } ``` Workaround / Fix: ----------------- Upgrade to fusionauth-samlv2 0.5.4 or newer, where the document type definitions are disabled. Timeline: --------- 2021-01-20: Discovery by Philipp Mao 2021-01-21: Initial vendor notification/response 2021-02-07: Release of fixed Version 2021-02-25: Assigned CVE-2021-27736 2021-04-21: Coordinated public disclosure date References: ----------- [1] https://github.com/FusionAuth/fusionauth-samlv2 [2] https://fusionauth.io/ [3] https://compass-security.com [4] https://github.com/FusionAuth/fusionauth-samlv2/blob/eb75ed9de1043c8d0564f0d1a136523457cc2dc3/src/main/java/io/fusionauth/samlv2/service/DefaultSAMLv2Service.java#L821