CVE-2021-28091 – CVE-2021-28091 is a signature verification bypa... (How to Fix)

Q: What is the severity of CVE-2021-28091?

CVE-2021-28091 has a CVSS score of 7.5 (HIGH). CVE-2021-28091 is a signature verification bypass vulnerability in Lasso, an open-source library for SAML authentication. Attackers can forge SAML assertions without valid cryptographic signatures, potentially bypassing authentication. All systems using Lasso for SAML-based authentication are affected.

📋 TL;DR

CVE-2021-28091 is a signature verification bypass vulnerability in Lasso, an open-source library for SAML authentication. Attackers can forge SAML assertions without valid cryptographic signatures, potentially bypassing authentication. All systems using Lasso for SAML-based authentication are affected.

💻 Affected Systems

Products:

Lasso

Versions: All versions prior to 2.7.0

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using Lasso library for SAML authentication is vulnerable regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing unauthorized access to protected systems and data, potentially leading to account takeover, privilege escalation, and data breaches.

🟠

Likely Case

Authentication bypass in SAML-protected applications, enabling unauthorized access to web applications, SSO portals, and federated identity systems.

🟢

If Mitigated

Limited impact with proper network segmentation, multi-factor authentication, and monitoring of authentication anomalies.

🌐 Internet-Facing: HIGH - SAML authentication is commonly used for internet-facing applications and SSO portals.

🏢 Internal Only: MEDIUM - Internal applications using SAML authentication could be compromised if attackers gain internal network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Signature verification bypass vulnerabilities are typically easy to exploit once understood, though no public exploit code is documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.0

Vendor Advisory: http://listes.entrouvert.com/arc/lasso/

Restart Required: Yes

Instructions:

1. Update Lasso to version 2.7.0 or later. 2. For package managers: 'apt-get update && apt-get install lasso' (Debian/Ubuntu) or 'yum update lasso' (RHEL/CentOS). 3. Rebuild and restart applications using Lasso library.

🔧 Temporary Workarounds

Disable SAML authentication

all

Temporarily disable SAML authentication and use alternative authentication methods

Network segmentation

all

Restrict access to SAML endpoints to trusted networks only

🧯 If You Can't Patch

Implement additional authentication factors (MFA) for SAML-protected resources
Monitor authentication logs for suspicious SAML assertion patterns and failed signature validations

🔍 How to Verify

Check if Vulnerable:

Check Lasso version: 'lasso-config --version' or check package manager. If version < 2.7.0, system is vulnerable.

Check Version:

lasso-config --version

Verify Fix Applied:

Verify Lasso version is 2.7.0 or later: 'lasso-config --version' should show 2.7.0+

📡 Detection & Monitoring

Log Indicators:

Failed signature verification attempts
SAML assertion processing errors
Unexpected successful authentications from unknown sources

Network Indicators:

Unusual SAML assertion patterns
SAML requests bypassing normal authentication flows

SIEM Query:

source="*lasso*" AND ("signature verification" OR "SAML assertion") AND (error OR failed OR bypass)

📊 Metadata

CVE ID: CVE-2021-28091

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-347

Published: June 4, 2021

Last Updated: November 21, 2024

🔗 References

http://listes.entrouvert.com/arc/lasso/ Product
https://git.entrouvert.org/lasso.git/commit/?id=076a37d7f0eb74001127481da2d355683693cde9 Patch,Vendor Advisory
https://git.entrouvert.org/lasso.git/tree/NEWS?id=v2.7.0 Release Notes,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00013.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SI4YAQF4VEV2KHQ6OXXZL7CJK7IZQ3EG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSVWOHBBWLI2RB5C6TXINFEJRT4YSD3D/
https://www.debian.org/security/2021/dsa-4926 Third Party Advisory
http://listes.entrouvert.com/arc/lasso/ Product
https://git.entrouvert.org/lasso.git/commit/?id=076a37d7f0eb74001127481da2d355683693cde9 Patch,Vendor Advisory
https://git.entrouvert.org/lasso.git/tree/NEWS?id=v2.7.0 Release Notes,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00013.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SI4YAQF4VEV2KHQ6OXXZL7CJK7IZQ3EG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSVWOHBBWLI2RB5C6TXINFEJRT4YSD3D/
https://www.debian.org/security/2021/dsa-4926 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28091, you might also want to check these: