201801-01
Denial of Service in timestamp validation function
Background
SAML messages and metadata use timestamps to express the validity of a given document based on the current time. These
timestamps use a common format, xs:DateTime
, in order to convey precise moments in time. Even though the SAML
standard recommends not relying on time resolutions finer than milliseconds, the fact is that implementors use different
precisions and therefore the SAML2 library tries to accommodate for all possible (and legal) values.
Description
When parsing a timestamp contained inside a SAML document, the SAML2 library uses a regular expression to validate its format and parse its components. The given regular expression sets no limits for the fraction of seconds part, such that an arbitrary amount of digits can be processed. This opens up the possibility to perform a denial of service attack by sending a large number of digits as the fraction of a second in a timestamp, making the processing script choke while evaluating the regular expression.
Affected versions
All simplesamlphp/saml2 versions 1.x, 2.x and 3.x are affected, up to (including) 1.10.3, 2.3.4 and 3.1, respectively.
Impact
An attacker can inject an arbitrary amount of digits into a valid xs:DateTime
timestamp and send a SAML document with
it to be processed by the library, making it hang while trying to process it, effectively achieving a denial of
service.
Resolution
Upgrade to the latest versions of the library.
Credit
This security issue was discovered during a security audit performed by Cure53 and reported on December 18, 2017.