CVE-2023-29129 – This vulnerability in Mendix SAML modules allow... (How to Fix)

Q: How do I fix CVE-2023-29129?

1. Identify the Mendix version and SAML module version in use. 2. Download and apply the patched version from the Mendix App Store or vendor sources. 3. Restart the Mendix application to apply changes. 4. Verify the fix by testing authentication functionality.

Q: What is the severity of CVE-2023-29129?

CVE-2023-29129 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Mendix SAML modules allows unauthenticated remote attackers to bypass authentication and gain unauthorized access to applications by exploiting insufficient verification of SAML assertions. It affects multiple Mendix versions across different compatibility tracks, specifically due to an incomplete fix for CVE-2023-25957 in non-default configurations. Organizations using the affected SAML modules are at risk of compromise.

📋 TL;DR

This vulnerability in Mendix SAML modules allows unauthenticated remote attackers to bypass authentication and gain unauthorized access to applications by exploiting insufficient verification of SAML assertions. It affects multiple Mendix versions across different compatibility tracks, specifically due to an incomplete fix for CVE-2023-25957 in non-default configurations. Organizations using the affected SAML modules are at risk of compromise.

💻 Affected Systems

Products:

Mendix SAML (Mendix 7 compatible)
Mendix SAML (Mendix 8 compatible)
Mendix SAML (Mendix 9 latest compatible, New Track)
Mendix SAML (Mendix 9 latest compatible, Upgrade Track)
Mendix SAML (Mendix 9.12/9.18 compatible, New Track)
Mendix SAML (Mendix 9.12/9.18 compatible, Upgrade Track)
Mendix SAML (Mendix 9.6 compatible, New Track)
Mendix SAML (Mendix 9.6 compatible, Upgrade Track)

Versions: Mendix 7 compatible: >= V1.17.3 < V1.18.0, >= V1.16.4 < V1.17.3; Mendix 8 compatible: >= V2.3.0 < V2.4.0, >= V2.2.0 < V2.3.0; Mendix 9 latest compatible, New Track: >= V3.3.1 < V3.6.1, >= V3.1.9 < V3.3.1; Mendix 9 latest compatible, Upgrade Track: >= V3.3.0 < V3.6.0, >= V3.1.8 < V3.3.0; Mendix 9.12/9.18 compatible, New Track: >= V3.3.1 < V3.3.15; Mendix 9.12/9.18 compatible, Upgrade Track: >= V3.3.0 < V3.3.14; Mendix 9.6 compatible, New Track: >= V3.1.9 < V3.2.7; Mendix 9.6 compatible, Upgrade Track: >= V3.1.8 < V3.2.6

Operating Systems: Not OS-specific; affects Mendix applications regardless of underlying OS

Default Config Vulnerable: ✅ No

Notes: This vulnerability is due to an incomplete fix for CVE-2023-25957 and affects specific non-default configurations of the SAML modules.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative access to the application, leading to data theft, system takeover, or further network compromise.

🟠

Likely Case

Unauthenticated attackers bypass login to access sensitive application data or functionality, potentially escalating privileges.

🟢

If Mitigated

With proper patching or workarounds, authentication remains intact, preventing unauthorized access and limiting impact to minor disruptions.

🌐 Internet-Facing: HIGH, as it allows unauthenticated remote exploitation, making internet-exposed applications prime targets for attacks.

🏢 Internal Only: MEDIUM, as internal attackers could still exploit it, but network segmentation and access controls may reduce exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation likely involves crafting malicious SAML assertions to bypass authentication, with low complexity due to the unauthenticated nature and insufficient verification.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to Mendix SAML modules: Mendix 7 compatible: V1.18.0 or later; Mendix 8 compatible: V2.4.0 or later; Mendix 9 latest compatible, New Track: V3.6.1 or later; Mendix 9 latest compatible, Upgrade Track: V3.6.0 or later; Mendix 9.12/9.18 compatible, New Track: V3.3.15 or later; Mendix 9.12/9.18 compatible, Upgrade Track: V3.3.14 or later; Mendix 9.6 compatible, New Track: V3.2.7 or later; Mendix 9.6 compatible, Upgrade Track: V3.2.6 or later

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf

Restart Required: Yes

Instructions:

1. Identify the Mendix version and SAML module version in use. 2. Download and apply the patched version from the Mendix App Store or vendor sources. 3. Restart the Mendix application to apply changes. 4. Verify the fix by testing authentication functionality.

🔧 Temporary Workarounds

Disable SAML Authentication

all

Temporarily disable SAML-based authentication and use alternative methods (e.g., local authentication) if possible to mitigate the risk.

Modify Mendix application configuration to remove or disable SAML module settings.

Network Segmentation

all

Restrict access to affected applications using firewalls or network controls to limit exposure to trusted networks only.

Configure firewall rules to allow access only from specific IP ranges or VLANs.

🧯 If You Can't Patch

Implement strict network access controls to limit application exposure to internal or trusted users only.
Monitor authentication logs for unusual activity and set up alerts for failed or bypassed login attempts.

🔍 How to Verify

Check if Vulnerable:

Check the SAML module version in the Mendix application's configuration or via the Mendix Modeler under 'Project Settings' > 'App Store modules'.

Check Version:

In Mendix, navigate to 'Project' > 'Show Project Directory in Explorer' and inspect module metadata files, or use the Mendix Modeler interface to view installed modules.

Verify Fix Applied:

After updating, verify the SAML module version matches the patched version and test authentication with valid and invalid SAML assertions to ensure no bypass occurs.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts, SAML assertion failures, or successful logins from unexpected sources without proper credentials.

Network Indicators:

Abnormal SAML traffic patterns, such as repeated authentication requests or malformed SAML messages.

SIEM Query:

Example: 'source="mendix_logs" AND (event_type="authentication_failure" OR event_type="saml_bypass")'

📊 Metadata

CVE ID: CVE-2023-29129

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-303

Published: June 13, 2023

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf Patch,Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29129, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Saml by Mendix

Saml by Mendix

Saml by Mendix

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable SAML Authentication

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities