Reference: Vulnerability Note VU#475445 https://www.kb.cert.org/vuls/id/475445
System/application: Ubisecure SAML SP for .NET
Date/Time Resolved: March 1st, 2018
Status: Resolved

Issue Accouncement:

It was announced to the public that multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal.

The impact is that SAML service providers may be vulnerable to identity impersonation.

Please see the following CERT.org announcement for full details:
https://www.kb.cert.org/vuls/id/475445

 

Scope of Impact:

Ubisecure SSO, Ubisecure CustomerID and Ubisecure SAML SP for Java modules and components are not affected by this vulnerability.

Ubisecure SAML SP for .NET may be impacted. This is being reviewed and if an issue is found will be resolved in a bug patch release.

 

Advised Corrective Action:

Immediate mitigation is possible through reconfiguration of the web.config file to use the username.attribute setting
https://developer.ubisecure.com/docs/display/IDS82/SAML+SP+for+ASP.NET+Customization

 

Additional recommendation(s):

Ubisecure advises customers using third-party integration products to contact the specific vendor for support and potential corrective action.

Ubisecure Support can provide further information on request to licensed component customers