Login Sign Up

CVE-2011-4625

7.5 HIGH
Authentication Bypass

📋 TL;DR

CVE-2011-4625 is an XML encryption vulnerability in SimpleSAMLphp that allows attackers to decrypt or forge SAML messages. This affects SimpleSAMLphp installations before version 1.6.3 (Debian squeeze) and before 1.8.2 (Debian sid). Organizations using vulnerable versions for SAML-based authentication are at risk.

💻 Affected Systems

Products:
  • SimpleSAMLphp
Versions: All versions before 1.6.3 (Debian squeeze) and before 1.8.2 (Debian sid)
Operating Systems: Debian squeeze, Debian sid
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects SimpleSAMLphp installations using XML encryption for SAML messages. Debian-specific versions are specified in the CVE.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Simplesamlphp by Simplesamlphp

View all CVEs affecting Simplesamlphp →

Simplesamlphp by Simplesamlphp

View all CVEs affecting Simplesamlphp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could decrypt sensitive SAML assertions containing user credentials or forge authentication messages to impersonate any user, potentially gaining unauthorized access to federated systems.

🟠

Likely Case

Attackers could decrypt SAML messages to obtain user attributes or forge authentication responses, leading to unauthorized access to applications relying on SimpleSAMLphp for authentication.

🟢

If Mitigated

With proper network segmentation and monitoring, impact would be limited to the SAML service itself, though authentication bypass could still occur.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

XML encryption attacks are well-documented and tools exist for SAML-specific exploitation. Attack requires network access to SAML endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SimpleSAMLphp 1.6.3 (squeeze) or 1.8.2 (sid)

Vendor Advisory: https://security-tracker.debian.org/tracker/CVE-2011-4625

Restart Required: Yes

Instructions:

1. Update SimpleSAMLphp to version 1.6.3 or higher for squeeze, or 1.8.2 or higher for sid. 2. Restart web server (Apache/Nginx). 3. Verify SAML functionality post-update.

🔧 Temporary Workarounds

Disable XML encryption

all

Configure SimpleSAMLphp to not use XML encryption if not required

Edit SimpleSAMLphp config: set 'encryption' => false in authsources.php

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to SimpleSAMLphp endpoints
  • Deploy WAF rules to detect and block XML encryption manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check SimpleSAMLphp version: grep 'version' /path/to/simplesamlphp/VERSION

Check Version:

cat /path/to/simplesamlphp/VERSION

Verify Fix Applied:

Verify version is >=1.6.3 (squeeze) or >=1.8.2 (sid) and test SAML authentication flows

📡 Detection & Monitoring

Log Indicators:

  • Failed SAML authentication attempts with malformed XML
  • Unusual XML parsing errors in SimpleSAMLphp logs

Network Indicators:

  • Unusual XML payloads to SAML endpoints
  • Multiple failed authentication attempts from single source

SIEM Query:

source="simplesamlphp.log" AND ("XML parsing error" OR "encryption error")

📊 Metadata

CVE ID: CVE-2011-4625
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-755
Published: November 6, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2011-4625, you might also want to check these:

CVE-2019-6256 9.8

This vulnerability allows remote attackers to cause a denial of service (crash) in LIVE555 Media Ser...

Same vulnerability type (CWE-755)
CVE-2022-48328 9.8

This vulnerability in MISP (Malware Information Sharing Platform) allows SQL injection through misha...

Same vulnerability type (CWE-755)
CVE-2021-43272 9.8

This vulnerability allows remote code execution through malicious DWF files in Open Design Alliance ...

Same vulnerability type (CWE-755)