Passport-SAML auth bypass triggers fix of critical, upstream XMLDOM bug

Rapid remedy follows reawakening of long-dormant bug threat

A critical vulnerability arising from improper input validation has been addressed in XMLDOM, the JavaScript implementation of W3C DOM for Node.js, Rhino, and browsers.

The flawed behavior was seemingly first flagged as potentially in need of remedy in 2016. But it was only with the recent discovery of an authentication bypass in Passport-SAML, the SAML 2.0 authentication provider for Node.js library Passport, that XMLDOM maintainers tackled the root cause of the problem.

“Xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing,” an XMLDOM advisory published on November 1 explained.

Breaking the assumption

“This breaks the assumption that there is only a single root node in the tree,” it continues, and poses “a potential issue for dependents”.

The bug was assigned CVE-2022-39353 and a severity rating of CVSS 9.4 by GitHub CVE Numbering Authority, later uprated in severity to CVSS 9.8 by the NIST National Vulnerability Database.

XMLDOM is widely used, with NPM detecting 2.8 million weekly downloads (albeit caveats apply regarding the accuracy of download counts).

DON’T MISS Gatsby patches SSRF, XSS bugs in Cloud Image CDN

Kurt Boberg, a maintainer on the project, told The Daily Swig: “Any security-critical workflow that accepts partial signatures on XML and reads a child node is likely affected by this issue.

“The core problem is that you can supply two XML documents to a request (one valid, one forged) and as long as the validator accepts the legitimate one, a property read via xmldom can potentially read a node value out of the forged document.”

Passport-SAML bypass

Passport-SAML, which has 167,000 weekly NPM downloads, mishandled cryptographic signature verification because of the XMLDOM flaw. Tracked as CVE-2022-39299, the high severity Passport-SAML issue potentially enabled an attacker “to bypass SAML authentication on a website using passport-saml,” The CVE description said.

“A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered.”

The bug, assigned a severity score of CVSS 8.1, was patched on October 11.

‘Worst possible outcome’

Asked what other damage an attacker might potentially cause downstream of the XMLDOM bug, Boberg said it “really depends on the expectations around the XML parsing. The aforementioned SAML issue is pretty much the worst possible outcome.

Read more of the latest cybersecurity vulnerability news

“It really hinges on the parsing application making a security decision based on XML input from the user that it expects to be signed. It’s like stapling an additional page to a notarized document, and passing it through a verification process that only checks if the first page is notarized.”

He added: “The downstream impact depends entirely on what the legitimate document would let you do.”

Path to a patch

The related GitHub bug thread began in 2016, when an XMLDOM maintainer said the issue “appears to me to be a violation of the W3C DOM Level 2 Core Specification”.

Speculating that the flaw “might be a ‘false-positive’ bug”, he suggested “there is some utility in being able to parse multiple documents in a single stream, if the API can be re-tooled just a bit”. He also described doing so “silently without issuing even so much as a warning to consumers” as “odd”.

The thread then remained dormant until the emergence of the Passport-SAML vulnerability and its root cause quickly became apparent, prompting the rapid deployment of patches within @xmldom/xmldom NPM versions 0.7.7, 0.8.4, and 0.9.0-beta.4, together with mitigations, fix details, and advice to developers to align with the specs to avoid code breakage.

YOU MIGHT ALSO LIKE OpenSSL vulnerability downgraded to ‘high’ severity