#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  ArcGIS Enterprise [1]
# Vendor:   Esri 
# CSNC ID:  CSNC-2021-006
# CVE ID:   Pending to be assigned by Esri
# Subject:  Multiple SAML vulnerabilities (XSW, padding oracle)
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Philipp Mao <philipp.mao@compass-security.com>, Felix Aeppli <felix.aeppli@compass-security.com>
# Date:     2021-9-30
#
#############################################################

Introduction:
-------------
ArcGIS [1] is a family of software providing geographic information system services. 
The SAML implementation of the Login portal for ArcGIS before versions 10.9 is vulnerable to SAML Assertion resuse, SAML Signature wrapping attacks and a padding oracle when using encrypted assertions.

Affected:
---------
Vulnerable:
Esri Portal for ArcGIS < 10.9

Not vulnerable:
Esri Portal for ArcGIS > 10.9
 
Technical Description
---------------------
If SAML is available for authentication a normal user can use these vulnerabilities to escalate privileges and login as any user to the ArcGIS application.
For more details see the blog[2]. 

Workaround / Fix:
-----------------
Upgrade to version 10.9 or higher or disable SAML authentication.

Timeline:
---------
2021-04-09:     Discovery by Felix Aeppli and Philipp Mao
2021-04-09:     Initial vendor notification/response
2021-07-13:     Release of fixed Version [3]
2021-09-30:     Advisory release by Compass Security

References:
-----------
[1] https://enterprise.arcgis.com/
[2] https://blog.compass-security.com/?p=5930
[3] https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2021-update-1-patch/