CVE-2024-6202
📋 TL;DR
HaloITSM versions up to 2.146.1 have a SAML XML Signature Wrapping vulnerability that allows anonymous attackers to impersonate any user by knowing their email address. This affects all organizations using HaloITSM with SAML integration configured. The vulnerability enables complete account takeover without authentication.
💻 Affected Systems
- HaloITSM
📦 What is this software?
Haloitsm by Haloservicesolutions
Haloitsm by Haloservicesolutions
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user accounts, administrative access to the HaloITSM system, data exfiltration, and potential lateral movement to connected systems.
Likely Case
Attackers impersonate high-privilege users to access sensitive IT service management data, modify configurations, or create malicious tickets/requests.
If Mitigated
Limited impact if SAML integration is disabled or proper network segmentation prevents external access.
🎯 Exploit Status
SAML XML Signature Wrapping is a well-known attack pattern with available tooling. Only requires knowledge of target email addresses.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.146.1 and later, or patches starting from 2.143.61
Vendor Advisory: https://haloitsm.com/guides/article/?kbid=2154
Restart Required: Yes
Instructions:
1. Backup your HaloITSM instance. 2. Apply the patch from version 2.143.61 or upgrade to 2.146.1+. 3. Restart the HaloITSM service. 4. Verify SAML functionality post-update.
🔧 Temporary Workarounds
Disable SAML Integration
allTemporarily disable SAML authentication until patching is complete
Navigate to HaloITSM Admin > Authentication > SAML and disable
Network Segmentation
allRestrict access to SAML endpoints to trusted IPs only
Configure firewall rules to limit access to /saml/* endpoints
🧯 If You Can't Patch
- Disable SAML integration completely and use alternative authentication methods
- Implement strict network access controls to SAML endpoints and monitor for suspicious authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check HaloITSM version in Admin panel and verify if SAML integration is enabled. Versions below 2.146.1 (and below 2.143.61 patches) with SAML are vulnerable.Check Version:
Check Admin panel or run: SELECT * FROM SystemSettings WHERE SettingName = 'Version'Verify Fix Applied:
After patching, test SAML authentication with valid and invalid signatures to ensure XML wrapping attacks are rejected.📡 Detection & Monitoring
Log Indicators:
- Multiple failed SAML authentication attempts followed by successful login from same IP
- SAML responses with unusual XML structure or duplicate elements
- User logins from unexpected locations/times
Network Indicators:
- Unusual traffic patterns to /saml/* endpoints
- XML payloads with multiple Signature elements
- SAML responses containing email addresses not associated with originating IP
SIEM Query:
source="haloitsm" AND (event_type="saml_auth" AND (status="success" AFTER status="failed") WITHIN 5m) OR (message="*XML*Signature*Wrapping*")