Executive Summary

Summary
Title Google SAML Single Sign on vulnerability
Informations
Name VU#612636 First vendor Publication 2008-09-02
Vendor VU-CERT Last vendor Modification 2008-09-04
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#612636

Google SAML Single Sign on vulnerability

Overview

The SAML Single Sign-On (SSO) Service for Google Apps contained a vulnerability that could have allowed an attacker to gain access to a user's Google account.

I. Description

The Security Assertion Markup Language (SAML) is a standard for transmitting authentication data between two or more security domains. In SAML language, XML security packets are called assertions. Identity providers pass assertions to service providers who allow the requests. In the Google Single Sign on (SSO) implementation, the authentication response did not include the identifier of the authentication request or the identity of the recipient. This may allow a malicious service provider to impersonate a user at other service providers.

More technical information about this issue is available in the Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps whitepaper which is available here: http://www.ai-lab.it/armando/GoogleSSOVulnerability.html

Note that to exploit this vulnerability, the attacker would have to convince the user to login to their site.

II. Impact

A malicious service provider might have been able to access a user's Google Account or other services offered by different identity providers.

III. Solution

Google has addressed this issue by changing the behavior of their SSO implemenation. Administrators and developers were required to update their identity provider to provide a valid recipient field in their assertions.


Do not log into untrusted sites

To mitigate future vulnerabilities, users should use caution when providing their credentials to log into Google services via third party service providers.

Systems Affected

VendorStatusDate Updated
GoogleVulnerable2-Sep-2008

References


http://www.ai-lab.it/armando/GoogleSSOVulnerability.html
http://code.google.com/apis/apps/sso/saml_reference_implementation.html
http://www.ibm.com/developerworks/xml/library/x-samlmyth.html
http://en.wikipedia.org/wiki/Saml

Credit

Thanks to Alessandro Armando and the AVANTSSAR Project for reporting this issue and to Google for providing technical information and feedback

This document was written by Ryan Giobbi.

Other Information

Date Public06/13/2008
Date First Published09/02/2008 08:13:18 AM
Date Last Updated09/04/2008
CERT Advisory 
CVE-ID(s) 
NVD-ID(s) 
US-CERT Technical Alerts 
Metric2.10
Document Revision21

Original Source

Url : http://www.kb.cert.org/vuls/id/612636

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-287 Improper Authentication

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Open Source Vulnerability Database (OSVDB)

Id Description
48434 Google Apps SAML Single Sign-On (SSO) Service Authentication Response Arbitra...