201704-02

Authentication context bypass in the multiauth module

Background

The multiauth module allows an Identity Provider to let the user choose which authentication mechanism he or she wants to use. The authentication mechanisms are defined in the config/authsources.php configuration file, and a list of valid sources for multiauth is defined in the configuration of the multiauth source itself.

Description

There is an issue in the multiauth module allowing an attacker to use any authentication source defined in the configuration but not explicitly allowed in the configuration of the multiauth module. This issue was due to the lack of proper validation of user’s input, resulting in the execution of arbitrary authentication sources even if they are not configured by a system administrator to be used in this context.

Affected versions

All SimpleSAMLphp versions before and including 1.14.13.

Impact

The fact that the multiauth module explicitly requires to configure a list of allowed authentication sources, makes the system administrator of an Identity Provider assume only those authentication sources defined in that list will be possibly used by end users when authenticating to services. However, the issue discussed here allows to authenticate with other authentication sources, making it possible to bypass authentication or even impersonate other users depending on the configuration of the IdP, provided that other authentication sources are defined that an attacker can use for profit, even if they were not intended to be used by multiauth.

Even though the consequences can potentially be serious (an attacker authenticating to a service he or she doesn’t have access to, or even impersonating other users or bypassing authentication completely), the ability to exploit this issue depends on an improper configuration of the IdP, leaving authentication sources available that can be used by a malicious user.

Resolution

Upgrade to the latest version.

Credit

This security issue was discovered and reported on April 28, 2017 by Michel Minsoul.