Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1613
Views
0
Helpful
0
Replies

Duo Finds SAML Vulnerabilities Affecting Multiple Implementations

mkorovesisduo
Level 4
Level 4

‎02-27-2018 06:50 AM

This blog post by Duo Senior AppSec Engineer Kelby Ludwig describes a new vulnerability class that affects SAML-based single sign-on (SSO) systems. This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password.

Kelby and the rest of the Duo Labs research team identified multiple vendors that were affected by this flaw:

  • OneLogin - python-saml - CVE-2017-11427
  • OneLogin - ruby-saml - CVE-2017-11428
  • Clever - saml2-js - CVE-2017-11429
  • OmniAuth-SAML - CVE-2017-11430
  • Shibboleth - CVE-2018-0489
  • Duo Network Gateway - CVE-2018-7340

We recommend that individuals that rely on SAML-based SSO to update any affected software to patch this vulnerability.

Learn more about the vulnerability and SAML in general in the blog.

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents