Home Cyber Crime Akamai offers post-mortem on recently resolved authentication platform vulnerability

Akamai offers post-mortem on recently resolved authentication platform vulnerability

23
0


Lasso bug roped up and corralled by Enterprise Utility Entry builders

Akamai offers comprehensive post-mortem on recently resolved authentication platform vulnerability

Akamai has provided a deep dive analysis of a lately patched flaw in its Enterprise Utility Entry (EAA) access control and authentication platform.

EAA permits enterprise customers to make entry management and authentication choices primarily based on id data provided by a third-party id supplier.

Builders of EAA took benefit of the Lasso open source library to bolt on help for the Safety Assertion Markup Language (SAML) v2.0 authentication protocol – a expertise extensively utilized by id suppliers.

The reliance on Lasso left EAA uncovered to the results of a lately found XML Signature Wrapping (XSW) vulnerability within the library. XML Signature Wrapping is a recognized class of vulnerability (earlier examples here, here, and here).

Coordinated response

The Lasso vulnerability – tracked as CVE-2021-28091 – may enable an attacker to physician a legitimate SAML response in order that it incorporates an unsigned SAML assertion.

The flaw was given a CVSS rating of 8.2, in direction of the highest finish of the dimensions.

Catch up on the latest authentication-related security news

Within the case of EAA, the reliance on Lasso arrange the preconditions for a doable exploit the place an attacker impersonates one other consumer of the focused system.

Exploitation would probably take the type of some type of manipulator-in-the-middle assault or, alternatively, by way of the abuse of compromised credentials obtained by way of phishing.

Luckily, incident response specialists at Akamai and builders at Lasso have been capable of work collectively on a coordinated disclosure course of whereas a patch was developed.

Patch growth

The repair, defined in some depth in Akamai’s technical weblog publish, entails making use of tighter cryptographic checks and controls on what constitutes a legitimate request.

The preliminary mitigations proposed by builders in February turned out to be incomplete, prompting Akamai techies to counsel a extra full decision that has since been adopted.

Sysadmins who depend on Lasso for his or her SAML authentication ought to patch as quickly as doable, Akamai advises.

RELATED Apache Pulsar bug allowed account takeovers in certain configurations



Source link