CVE-2023-41890 – The Sustainsys.Saml2 library has an authenticat... (How to Fix)

Q: What is the severity of CVE-2023-41890?

CVE-2023-41890 has a CVSS score of 7.5 (HIGH). The Sustainsys.Saml2 library has an authentication bypass vulnerability where SAML responses aren't properly validated. Attackers can impersonate legitimate identity providers or manipulate stored authentication state, potentially allowing unauthorized access. Applications using this library for SAML-based authentication are affected.

📋 TL;DR

The Sustainsys.Saml2 library has an authentication bypass vulnerability where SAML responses aren't properly validated. Attackers can impersonate legitimate identity providers or manipulate stored authentication state, potentially allowing unauthorized access. Applications using this library for SAML-based authentication are affected.

💻 Affected Systems

Products:

Sustainsys.Saml2 library for ASP.NET

Versions: All versions before 1.0.3 and 2.9.2

Operating Systems: Windows, Linux (when running ASP.NET applications)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the library's SAML authentication features and relying on issuer validation or stored authentication state.

📦 What is this software?

Saml2 by Sustainsys

View all CVEs affecting Saml2 →

Saml2 by Sustainsys

View all CVEs affecting Saml2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing attackers to impersonate any user, potentially gaining administrative privileges and full system access.

🟠

Likely Case

Unauthorized access to user accounts, privilege escalation, or session hijacking through manipulated SAML responses.

🟢

If Mitigated

Limited impact with proper validation in place, potentially only affecting specific authentication flows.

🌐 Internet-Facing: HIGH - SAML authentication is typically used for internet-facing applications, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal applications using SAML authentication could still be vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires understanding of SAML protocol and ability to craft malicious responses, but no public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.3 or 2.9.2

Vendor Advisory: https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39

Restart Required: Yes

Instructions:

1. Update NuGet package to version 1.0.3 or 2.9.2. 2. Update package reference in project file. 3. Rebuild and redeploy application. 4. Restart application services.

🔧 Temporary Workarounds

Custom validation using AcsCommandResultCreated

all

Implement custom issuer validation in the AcsCommandResultCreated notification handler

Implement custom validation logic in AcsCommandResultCreated event handler

🧯 If You Can't Patch

Implement additional validation layers in authentication logic
Monitor authentication logs for unusual issuer patterns or authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check package version in project file or NuGet packages.config for versions below 1.0.3 or 2.9.2

Check Version:

Check project's packages.config or .csproj file for Sustainsys.Saml2 version

Verify Fix Applied:

Verify package version is 1.0.3 or higher (for v1) or 2.9.2 or higher (for v2)

📡 Detection & Monitoring

Log Indicators:

Multiple authentication attempts with different issuer values
Authentication from unexpected identity providers
Failed issuer validation attempts

Network Indicators:

Unusual SAML response patterns
SAML responses from unexpected sources

SIEM Query:

Search for authentication events with mismatched issuer values or from unexpected identity providers

📊 Metadata

CVE ID: CVE-2023-41890

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-289

Published: September 19, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/Sustainsys/Saml2/issues/712 Issue Tracking,Patch
https://github.com/Sustainsys/Saml2/issues/713 Issue Tracking,Patch
https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39 Third Party Advisory
https://github.com/Sustainsys/Saml2/issues/712 Issue Tracking,Patch
https://github.com/Sustainsys/Saml2/issues/713 Issue Tracking,Patch
https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41890, you might also want to check these: