Researchers have identified a new vulnerability in a number of SAML libraries that can allow an attacker to impersonate a user without knowing the target’s password. SAML is a language commonly used in identity and single sign-on systems and the bug affects products from many different vendors, including OneLogin and and the Shibboleth Consortium.

In order to exploit the vulnerability, an attacker would need to be authenticated on the system he’s targeting. By modifying a portion of a SAML assertion for his account, the attacker could then authenticate as a separate user on the system.

“Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message,” an advisory from CERT/CC says.

“A remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.”

Kelby Ludwig, an application security engineer at Duo Security, discovered the vulnerability in December and reported it to CERT/CC, which began notifying affected vendors in January. Most of the affected vendors, including Duo, have released fixes for the issue, although CERT’s advisory lists a number of vendors that also could be affected. The way that the vulnerability affects a given product may vary pretty widely, Ludwig said, depending upon how the given identity provider and service provider are configured.

“The presence of this behavior is not great, but not always exploitable. SAML IdPs and SPs are generally very configurable, so there is lots of room for increasing or decreasing impact. For example, SAML SPs that use email addresses and validate their domain against a whitelist are much less likely to be exploitable than SPs that allow arbitrary strings as user identifiers,” Ludwig said in his advisory.

“On the IdP side, openly allowing users to register accounts is one way to increase the impact of this issue. A manual user provisioning process may add a barrier to entry that makes exploitation a bit more infeasible.”

Organizations using affected products should upgrade to fixed versions as soon as is practical.