CVE-2023-37471
📋 TL;DR
OpenAM up to version 14.7.2 has a critical SAML signature validation vulnerability that allows attackers to impersonate any user, including administrators, by sending crafted SAML responses. This affects all organizations using vulnerable OpenAM versions for SAML-based authentication. The vulnerability enables complete authentication bypass in SAMLv1.x Single Sign-On processes.
💻 Affected Systems
- Open Access Management (OpenAM)
📦 What is this software?
Openam by Openidentityplatform
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain administrative access, potentially leading to data exfiltration, account takeover, and lateral movement across connected systems.
Likely Case
Attackers impersonate regular users to access sensitive applications and data, potentially escalating privileges to administrative access.
If Mitigated
With proper network segmentation and monitoring, impact is limited to the OpenAM instance itself, though authentication bypass remains possible.
🎯 Exploit Status
Exploitation requires sending crafted SAML responses to the SAMLPOSTProfileServlet endpoint, which is straightforward for attackers familiar with SAML.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenAM 14.7.3-SNAPSHOT and later
Vendor Advisory: https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-4mh8-9wq6-rjxg
Restart Required: Yes
Instructions:
1. Upgrade to OpenAM 14.7.3-SNAPSHOT or later. 2. Restart the OpenAM service. 3. Verify SAML authentication works correctly after upgrade.
🔧 Temporary Workarounds
Disable SAMLPOSTProfileServlet
allComment out the vulnerable servlet in the pom.xml configuration file to prevent exploitation
Edit pom.xml and comment out: <!-- <servlet> <servlet-name>SAMLPOSTProfileServlet</servlet-name> <servlet-class>com.sun.identity.saml.servlet.SAMLPOSTProfileServlet</servlet-class> </servlet> -->
🧯 If You Can't Patch
- Implement network-level controls to restrict access to SAMLPOSTProfileServlet endpoint
- Deploy a WAF with custom rules to detect and block malicious SAML responses
🔍 How to Verify
Check if Vulnerable:
Check OpenAM version: if version is 14.7.2 or earlier and SAMLv1.x is enabled, the system is vulnerable.Check Version:
Check OpenAM admin console or deployment configuration for version informationVerify Fix Applied:
After upgrade, verify version is 14.7.3-SNAPSHOT or later and test SAML authentication functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns, multiple failed SAML responses followed by successful authentication from same source
- SAML responses with invalid or missing signatures
Network Indicators:
- Unusual traffic to /SAML/POST endpoint
- SAML responses from unexpected sources or with abnormal patterns
SIEM Query:
source="openam" AND (message="SAML response validation failed" OR message="Invalid SAML signature")🔗 References
- https://github.com/OpenIdentityPlatform/OpenAM/commit/7c18543d126e8a567b83bb4535631825aaa9d742
- https://github.com/OpenIdentityPlatform/OpenAM/pull/624
- https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-4mh8-9wq6-rjxg
- https://github.com/OpenIdentityPlatform/OpenAM/commit/7c18543d126e8a567b83bb4535631825aaa9d742
- https://github.com/OpenIdentityPlatform/OpenAM/pull/624
- https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-4mh8-9wq6-rjxg
