Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Akamai offers post-mortem on recently resolved authentication platform vulnerability

Akamai has offered a deep dive analysis of a recently patched flaw in its Enterprise Application Access (EAA) access control and authentication platform.

EAA allows enterprise users to make access control and authentication decisions based on identity information offered by a third-party identity provider.

Developers of EAA took advantage of the Lasso open source library to bolt on support for the Security Assertion Markup Language (SAML) v2.0 authentication protocol – a technology widely used by identity providers.

The reliance on Lasso left EAA exposed to the effects of a recently discovered XML Signature Wrapping (XSW) vulnerability in the library. XML Signature Wrapping is a known class of vulnerability (previous examples herehere, and here).

Coordinated response

The Lasso vulnerability – tracked as CVE-2021-28091 – could allow an attacker to doctor a valid SAML response so that it contains an unsigned SAML assertion.

The flaw was given a CVSS score of 8.2, towards the top end of the scale.

In the case of EAA, the reliance on Lasso set up the preconditions for a possible exploit where an attacker impersonates another user of the targeted system.

Exploitation would likely take the form of some form of manipulator-in-the-middle attack or, alternatively, through the abuse of compromised credentials obtained through phishing.

Fortunately, incident response experts at Akamai and developers at Lasso were able to work together on a coordinated disclosure process while a patch was developed.

Patch development

The fix, explained in some depth in Akamai’s technical blog post, involves applying tighter cryptographic checks and controls on what constitutes a valid request.

The initial mitigations proposed by developers in February turned out to be incomplete, prompting Akamai techies to suggest a more complete resolution that has since been adopted.

Sysadmins who rely on Lasso for their SAML authentication should patch as soon as possible, Akamai advises.

Source: https://portswigger.net/daily-swig/akamai-offers-post-mortem-on-recently-resolved-authentication-platform-vulnerability

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

New capabilities in Google Workspace will help enterprises improve account and data security, by making unauthorized takeover of admin and user accounts and exfiltration...

Cyber Security

Modern enterprises run dozens (and sometimes hundreds) of servers, services, applications, APIs, containers, and other technologies. To secure these resources, enterprises need tools to...

Cyber Security

While we continue to wait for the long-awaited password-less future to arrive, individuals and enterprises are still stuck with the problem of how to...

Cyber Security

A trio of authentication bypass bugs stemming from the use of hardcoded keys have been patched in popular enterprise analytics platform Yellowfin BI. After...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO