exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

nevisAuth Authentication Bypass

nevisAuth Authentication Bypass
Posted Sep 21, 2015
Authored by Roland Bischofberger, Antoine Neuenschwander

nevisAuth versions since 4.13.0.0 (2012-11-21) and prior to 4.18.3.1 (2015-07-02) suffer from an authentication bypass vulnerability.

tags | advisory, bypass
advisories | CVE-2015-5372
SHA-256 | ad23e54747c35436add7b30033271b8704ead8a7da713d8ec53805179693f1de

nevisAuth Authentication Bypass

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: nevisAuth [1]
# Vendor: AdNovum [2]
# CVD ID: CVE-2015-5372
# Subject: Authentication Bypass
# Risk: Critical
# Effect: Remotely exploitable
# Authors: Antoine Neuenschwander (antoine.neuenschwander@csnc.ch)
# Roland Bischofberger (roland.bischofberger@csnc.ch)
# Date: 2015-09-21
#
#############################################################

Introduction:
-------------
nevisAuth implements strong user and system authentication for identity and
access management solutions. It offers secure execution of multi-step
authentication and is able to dynamically adjust authentication strengths.
nevisAuth is highly flexible, easily integrated and supports plug-ins to various
authentication methods. [1]

Security Analysts of Compass Security Schweiz AG [3] discovered a security flaw
in the SAML 2.0 implementation of nevisAuth, which allows an attacker to bypass
the signature validation of security assertions, and therefore impersonate other
users.


Affected:
---------
nevisAuth since v4.13.0.0 (2012-11-21)
A security fix was released with version v4.18.3.1 (2015-07-02)


Technical Description:
----------------------
When configured as a SAML 2.0 service provider (SP), nevisAuth authenticates
users based on security assertions issued and signed by a trusted identity
provider (IdP). An assertion contains various fields about the user or subject
being authenticated, e.g. a name identifier (NameID), various attributes and
timestamps. Trust is based on the IdP's certificate, which is used to validate
the digital signature of security assertions.

In a setup where security assertions are conveyed via User-Agent (i.e when using
HTTP POST Binding), it is possible to forge and inject new assertions based on
data intercepted during a valid past authentication process. To achieve this,
the signing certificate is extracted from the assertion and then cloned to
reflect all X.509 data fields. A new public/private key pair is generated. The
public key is inserted into the certificate and the private key is used to sign
it. The signing certificate in the security assertion is now replaced with its
rogue copy. The attacker can then modify arbitrary values of the assertion, for
example the NameID. Finally, the assertion is signed with the cloned
certificate.

Due to a flaw in affected versions of nevisAuth, it is possible to bypass
validation of security assertions by presenting the system with forged
assertions as described above. In consequence, an attacker can impersonate
other users. More details on the attack can be found in [4].


Workaround / Fix:
-----------------
AdNovum released a security fix in nevisAuth v4.18.3.1 (2015-07-02) to address
this issue.

Alternatively, when using HTTP POST Binding, use encrypted security assertions
for transmission via the User-Agent. Or completely avoid transmitting security
assertions over insecure channels by using HTTP Artifact Binding.


Timeline:
---------
2015-06-26: Discovered vulnerability
2015-06-30: CVE ID requested
2015-07-01: Initial vendor notification
2015-07-02: Vendor confirmed security issue
2015-07-03: Vendor released security fix & guidance to its customers
2015-07-06: CVE ID assigned
2015-09-21: Public disclosure


Acknowledgements:
-----------------
This vulnerability was discovered using the SAMLRaider Plugin [5] for Burp
Suite [6], developed by Roland Bischofberger (roland.bischofberger@csnc.ch) and
Emanuel Duss (emanuel.duss@gmail.com).


References:
-----------
[1]: https://www.nevis.ch/en/products/nevisauth-authentication-service.html
[2]: http://www.adnovum.ch/en/
[3]: http://www.csnc.ch/advisories
[4]: http://blog.csnc.ch/2015/09/saml-sp-authentication-bypass-vulnerability-in-nevisauth
[5]: https://github.com/SAMLRaider/SAMLRaider
[6]: http://portswigger.net/burp/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close