CVE-2020-26290
📋 TL;DR
This vulnerability in Dex's SAML connector allows attackers to bypass XML signature validation through XML encoding issues in the underlying Go library. This enables authentication bypass and potential account takeover for users relying on SAML authentication. Only organizations using Dex with SAML connectors are affected.
💻 Affected Systems
- Dex
📦 What is this software?
Dex by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing attackers to impersonate any user, gain unauthorized access to federated applications, and potentially escalate privileges across connected systems.
Likely Case
Authentication bypass enabling unauthorized access to applications using Dex as an identity provider via SAML, potentially leading to data exposure and privilege escalation.
If Mitigated
With proper network segmentation and monitoring, impact is limited to authentication bypass for specific applications using vulnerable SAML connectors.
🎯 Exploit Status
Exploitation requires understanding of SAML XML manipulation and access to SAML authentication flow.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.27.0
Vendor Advisory: https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5
Restart Required: Yes
Instructions:
1. Stop Dex service. 2. Update to version 2.27.0 or later. 3. Restart Dex service. 4. Verify SAML authentication works correctly.
🔧 Temporary Workarounds
Disable SAML Connectors
allTemporarily disable all SAML connectors if they are not essential for operations
Edit Dex configuration to remove or comment out SAML connector sections
🧯 If You Can't Patch
- Implement network-level controls to restrict access to Dex SAML endpoints
- Enable detailed logging and monitoring for SAML authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check Dex version and configuration for SAML connector usage. If version < 2.27.0 and SAML connectors are enabled, system is vulnerable.Check Version:
dex versionVerify Fix Applied:
Verify Dex version is 2.27.0 or later and test SAML authentication flow with signature validation.📡 Detection & Monitoring
Log Indicators:
- Unusual SAML authentication patterns
- Failed signature validation attempts followed by successful authentication
- Authentication from unexpected sources
Network Indicators:
- Unusual XML payloads in SAML requests
- Malformed XML in authentication flows
SIEM Query:
source="dex" AND (saml_failure OR xml_validation_error) AND auth_success🔗 References
- https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8
- https://github.com/dexidp/dex/releases/tag/v2.27.0
- https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5
- https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md
- https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md
- https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md
- https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
- https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
- https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8
- https://github.com/dexidp/dex/releases/tag/v2.27.0
- https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5
- https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md
- https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md
- https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md
- https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
- https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
