CVE-2024-45409
📋 TL;DR
CVE-2024-45409 is a critical authentication bypass vulnerability in the Ruby SAML library where SAML response signatures are not properly verified. This allows unauthenticated attackers with access to any signed SAML document to forge SAML responses and log in as arbitrary users. All applications using vulnerable versions of ruby-saml or omniauth-saml are affected.
💻 Affected Systems
- ruby-saml
- omniauth-saml
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Omniauth Saml by Omniauth
Omniauth Saml by Omniauth
Omniauth Saml by Omniauth
Ruby Saml by Onelogin
Ruby Saml by Onelogin
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of SAML-based authentication systems allowing attackers to impersonate any user, including administrators, leading to full system takeover.
Likely Case
Attackers gain unauthorized access to user accounts, potentially accessing sensitive data and performing privileged actions.
If Mitigated
With proper network segmentation and monitoring, impact is limited to the affected SAML service with potential for detection of anomalous authentication patterns.
🎯 Exploit Status
Exploitation requires access to a signed SAML document from the IdP, but the vulnerability makes forgery trivial once this is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ruby-saml 1.17.0 or 1.12.3
Vendor Advisory: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
Restart Required: Yes
Instructions:
1. Update Gemfile to require 'ruby-saml', '>= 1.17.0' or '>= 1.12.3, < 1.13.0'. 2. Run 'bundle update ruby-saml'. 3. Restart your Ruby application server.
🔧 Temporary Workarounds
Temporary signature validation override
allImplement custom signature validation in application code as temporary mitigation
# Add custom validation logic in SAML response handler
# This is complex and error-prone - patching is strongly preferred
🧯 If You Can't Patch
- Implement additional authentication factors (MFA) for all users
- Monitor authentication logs for suspicious patterns and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check Gemfile.lock or run 'bundle show ruby-saml' to see installed versionCheck Version:
bundle show ruby-saml | grep -o '\d\.\d\+\.\d+'Verify Fix Applied:
Verify version is 1.17.0+ or 1.12.3 with 'bundle show ruby-saml' and test SAML authentication📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful login from same IP
- Unusual user agent strings during SAML authentication
- Authentication from unexpected geographic locations
Network Indicators:
- Unusual SAML response sizes or patterns
- Multiple authentication requests from single source
SIEM Query:
source="application.log" AND ("SAML" OR "authentication") AND (status="success" OR user="*") | stats count by src_ip, user🔗 References
- https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae
- https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7
- https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
- https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq
- https://lists.debian.org/debian-lts-announce/2024/11/msg00006.html
- https://news.ycombinator.com/item?id=41586031
- https://security.netapp.com/advisory/ntap-20240926-0008/
- https://ssoready.com/blog/engineering/ruby-saml-pwned-by-xml-signature-wrapping-attacks/
