Golang XML parser vulnerability can trigger SAML authentication bypass

On December 14, Mattermost and the Golang team released 3 security vulnerabilities in the Go language XML parser. The vulnerability affects multiple Go-based implementations and may trigger a complete SAML authentication bypass.

XML parser cannot guarantee integrity

The following vulnerabilities in the Golang XML language parser cause the encoding and decoding of XML input to not return reliable results, which means that XML markup (markup) will return discontinuous and unexpected results when the parser is used for the encoder. result:

·  CVE-2020-29509: XML attributes in Go encoding/xml are unstable

·  CVE-2020-29510: The XML command in Go ‘s encoding/xml is unstable

·  CVE-2020-29511: The XML element in Go ‘s encoding/xml is unstable

These vulnerabilities are closely related, and the core common problem is that maliciously forged XML markup can mutate (change) in multiple rounds of communication through GO encoding and decoding.

Mattermost product security engineer Nurminen explained that if the application uses an XML parser, the encoder and decoder will not retain the semantics of the original markup.

When the application processes XML and parses a markup that is not the previously parsed and serialized output, it cannot guarantee that the parsed output matches the output of the previous round. In other words, passing XML through Go’s encoder and decoder does not preserve its semantics.

One of the patches also proved that because of these vulnerabilities, discontinuities do occur during XML parsing. For example, ` <:name>’ will remove the colon. Similarly, during the serialization process, XML tags with attributes containing null values ​​(“”) will be completely rendered.

authentication bypass

This seems to be a simple loophole. Although many applications hope to achieve semantic integrity, these loopholes may cause serious consequences.

For example, an attacker can trigger a implementation using the above XML parser to bypass SAML authentication. Security Assertion Markup Language (SAML) is a web authentication standard used by many mainstream websites and services. Due to these vulnerabilities, the Go-based SAML implementation can be exploited by attackers by injecting malicious markup into the correctly signed SAML message, which appears to be correctly signed, but its semantics are completely different from the original document.

For the SSO system, an attacker using a vulnerable XML parser may trigger privilege escalation or authentication bypass.

No patch currently

Currently, the Go security team has issued a security bulletin, but there is currently no patch to quickly fix these security vulnerabilities. Because of the stability of round-trip (multiple rounds) and the deployment of security features supported by encoding/xml, the patch itself cannot ensure the reliability of XML parsing.

However, there are already multiple Go-based projects that have released fixed versions, such as:

· Dex IDP version 2.27.0

· github.com/crewjam/saml version 0.4.3

· github.com/russellhaering/gosaml2 version 0.6.0