201801-01

Denial of Service in timestamp validation function

Background

SAML messages and metadata use timestamps to express the validity of a given document based on the current time. These timestamps use a common format, xs:DateTime, in order to convey precise moments in time. Even though the SAML standard recommends not relying on time resolutions finer than milliseconds, the fact is that implementors use different precisions and therefore the SAML2 library tries to accommodate for all possible (and legal) values.

Description

When parsing a timestamp contained inside a SAML document, the SAML2 library uses a regular expression to validate its format and parse its components. The given regular expression sets no limits for the fraction of seconds part, such that an arbitrary amount of digits can be processed. This opens up the possibility to perform a denial of service attack by sending a large number of digits as the fraction of a second in a timestamp, making the processing script choke while evaluating the regular expression.

Affected versions

All simplesamlphp/saml2 versions 1.x, 2.x and 3.x are affected, up to (including) 1.10.3, 2.3.4 and 3.1, respectively.

Impact

An attacker can inject an arbitrary amount of digits into a valid xs:DateTime timestamp and send a SAML document with it to be processed by the library, making it hang while trying to process it, effectively achieving a denial of service.

Resolution

Upgrade to the latest versions of the library.

Credit

This security issue was discovered during a security audit performed by Cure53 and reported on December 18th 2017.