CVE-2016-9955

Name of the Vulnerable Software and Affected Versions SimpleSAMLphp versions prior to 1.14.11

Description The issue allows remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service by leveraging improper conversion of return values to boolean in the SimpleSAML XML Validator class constructor. This is due to an incorrect check of return values in the signature validation utilities, which can be exploited by forcing an error during validation. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Technical details about exploitation include the use of openssl verify() function, which returns 1 when the signature was successfully verified, 0 if it failed to verify with the given key, and -1 in case an error occurs. The implicit conversion to boolean of the values returned by openssl verify() can convert an error state to successful verification of the signature. To exploit the issue, SAML 1.1 metadata must be registered by the vulnerable Service Provider for the Identity Provider targeted by the attacker, and an incorrect context must be fed to the signature validation routines, or an exceptional error must be triggered.

Recommendations Upgrade to the latest version of SimpleSAMLphp, which is 1.14.11 or later, to resolve the issue. As a temporary workaround, consider restricting access to the SimpleSAML XML Validator class constructor until a patch is available. Avoid using the verify() method from the RobRichardsXMLSecDSig class with untrusted input until the issue is resolved.