CVE-2025-24894 (GCVE-0-2025-24894)
Vulnerability from cvelistv5 – Published: 2025-02-18 18:39 – Updated: 2025-02-18 19:46
VLAI?
Title
SAML Response Signature Verification Bypass in SPID.AspNetCore.Authentication
Summary
SPID.AspNetCore.Authentication is an AspNetCore Remote Authenticator for SPID. Authentication using Spid and CIE is based on the SAML2 standard which provides two entities: Identity Provider (IDP): the system that authenticates users and provides identity information (SAML affirmation) to the Service Provider, in essence, is responsible for the management of the credentials and identity of users; Service Provider (SP): the system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources. The validation logic of the signature is central as it ensures that you cannot create a SAML response with arbitrary assertions and then impersonate other users. There is no guarantee that the first signature refers to the root object, it follows that if an attacker injects an item signed as the first element, all other signatures will not be verified. The only requirement is to have an XML element legitimately signed by the IdP, a condition that is easily met using the IdP's public metadata. An attacker could create an arbitrary SAML response that would be accepted by SPs using vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user. This vulnerability has been addressed in version 3.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
9.1 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| italia | spid-aspnetcore |
Affected:
< 3.4.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24894",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T19:42:44.965339Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:46:06.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "spid-aspnetcore",
"vendor": "italia",
"versions": [
{
"status": "affected",
"version": "\u003c 3.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SPID.AspNetCore.Authentication is an AspNetCore Remote Authenticator for SPID. Authentication using Spid and CIE is based on the SAML2 standard which provides two entities: Identity Provider (IDP): the system that authenticates users and provides identity information (SAML affirmation) to the Service Provider, in essence, is responsible for the management of the credentials and identity of users; Service Provider (SP): the system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources. The validation logic of the signature is central as it ensures that you cannot create a SAML response with arbitrary assertions and then impersonate other users. There is no guarantee that the first signature refers to the root object, it follows that if an attacker injects an item signed as the first element, all other signatures will not be verified. The only requirement is to have an XML element legitimately signed by the IdP, a condition that is easily met using the IdP\u0027s public metadata. An attacker could create an arbitrary SAML response that would be accepted by SPs using vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user. This vulnerability has been addressed in version 3.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T18:39:37.089Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/italia/spid-aspnetcore/security/advisories/GHSA-36h8-r92j-w9vw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/italia/spid-aspnetcore/security/advisories/GHSA-36h8-r92j-w9vw"
}
],
"source": {
"advisory": "GHSA-36h8-r92j-w9vw",
"discovery": "UNKNOWN"
},
"title": "SAML Response Signature Verification Bypass in SPID.AspNetCore.Authentication"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24894",
"datePublished": "2025-02-18T18:39:37.089Z",
"dateReserved": "2025-01-27T15:32:29.451Z",
"dateUpdated": "2025-02-18T19:46:06.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-24894\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-02-18T19:15:28.090\",\"lastModified\":\"2025-02-18T19:15:28.090\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SPID.AspNetCore.Authentication is an AspNetCore Remote Authenticator for SPID. Authentication using Spid and CIE is based on the SAML2 standard which provides two entities: Identity Provider (IDP): the system that authenticates users and provides identity information (SAML affirmation) to the Service Provider, in essence, is responsible for the management of the credentials and identity of users; Service Provider (SP): the system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources. The validation logic of the signature is central as it ensures that you cannot create a SAML response with arbitrary assertions and then impersonate other users. There is no guarantee that the first signature refers to the root object, it follows that if an attacker injects an item signed as the first element, all other signatures will not be verified. The only requirement is to have an XML element legitimately signed by the IdP, a condition that is easily met using the IdP\u0027s public metadata. An attacker could create an arbitrary SAML response that would be accepted by SPs using vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user. This vulnerability has been addressed in version 3.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"SPID.AspNetCore.Authentication es un Autenticador Remoto AspNetCore para SPID. La autenticaci\u00f3n mediante Spid y CIE se basa en el est\u00e1ndar SAML2 que proporciona dos entidades: Proveedor de Identidad (IDP): el sistema que autentica a los usuarios y proporciona informaci\u00f3n de identidad (afirmaci\u00f3n SAML) al Proveedor de Servicios, en esencia, es responsable de la gesti\u00f3n de las credenciales e identidad de los usuarios; Proveedor de Servicios (SP): el sistema que proporciona un servicio al usuario y se basa en el Proveedor de Identidad para autenticar al usuario, recibe aserciones SAML del IdP para otorgar acceso a los recursos. La l\u00f3gica de validaci\u00f3n de la firma es central ya que asegura que no se puede crear una respuesta SAML con aserciones arbitrarias y luego suplantar a otros usuarios. No hay garant\u00eda de que la primera firma se refiera al objeto ra\u00edz, se deduce que si un atacante inyecta un elemento firmado como primer elemento, todas las dem\u00e1s firmas no ser\u00e1n verificadas. El \u00fanico requisito es tener un elemento XML firmado leg\u00edtimamente por el IdP, una condici\u00f3n que se cumple f\u00e1cilmente utilizando los metadatos p\u00fablicos del IdP. Un atacante podr\u00eda crear una respuesta SAML arbitraria que ser\u00eda aceptada por los SP utilizando SDK vulnerables, lo que le permitir\u00eda hacerse pasar por cualquier usuario de Spid y/o CIE. Esta vulnerabilidad se ha solucionado en la versi\u00f3n 3.4.0 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"references\":[{\"url\":\"https://github.com/italia/spid-aspnetcore/security/advisories/GHSA-36h8-r92j-w9vw\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-24894\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-18T19:42:44.965339Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-18T19:45:52.949Z\"}}], \"cna\": {\"title\": \"SAML Response Signature Verification Bypass in SPID.AspNetCore.Authentication\", \"source\": {\"advisory\": \"GHSA-36h8-r92j-w9vw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"italia\", \"product\": \"spid-aspnetcore\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.4.0\"}]}], \"references\": [{\"url\": \"https://github.com/italia/spid-aspnetcore/security/advisories/GHSA-36h8-r92j-w9vw\", \"name\": \"https://github.com/italia/spid-aspnetcore/security/advisories/GHSA-36h8-r92j-w9vw\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SPID.AspNetCore.Authentication is an AspNetCore Remote Authenticator for SPID. Authentication using Spid and CIE is based on the SAML2 standard which provides two entities: Identity Provider (IDP): the system that authenticates users and provides identity information (SAML affirmation) to the Service Provider, in essence, is responsible for the management of the credentials and identity of users; Service Provider (SP): the system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources. The validation logic of the signature is central as it ensures that you cannot create a SAML response with arbitrary assertions and then impersonate other users. There is no guarantee that the first signature refers to the root object, it follows that if an attacker injects an item signed as the first element, all other signatures will not be verified. The only requirement is to have an XML element legitimately signed by the IdP, a condition that is easily met using the IdP\u0027s public metadata. An attacker could create an arbitrary SAML response that would be accepted by SPs using vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user. This vulnerability has been addressed in version 3.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-02-18T18:39:37.089Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-24894\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-18T19:46:06.822Z\", \"dateReserved\": \"2025-01-27T15:32:29.451Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-02-18T18:39:37.089Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GHSA-36H8-R92J-W9VW
Vulnerability from github – Published: 2025-02-18 19:25 – Updated: 2025-02-18 19:25
VLAI?
Summary
The AspNetCore Remote Authenticator for SPID Allows SAML Response Signature Verification Bypass
Details
Description
Authentication using Spid and CIE is based on the SAML2 standard which provides for two entities:
Identity Provider (IdP): the system that authenticates users and provides identity information ( SAML assertions ) to the Service Provider, essentially, it is responsible for managing user credentials and identity;
Service Provider (SP): The system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources.
The library spid-aspnetcorerefers to the second entity, i.e. the SP, and implements the validation logic of the SAML assertions present within the SAML response . The following is a summary diagram of an authentication flow via SAML:
As shown in the diagram, the IdP, after verifying the user's credentials, generates a signed SAML response, this is propagated to the SP by the user's browser and the SP, after verifying the signature, can extract the data needed to build the user's session.
The signature validation logic is central as it ensures that you cannot craft a SAML response with arbitrary assertions and thus impersonate other users.
The following is the validation code implemented in spid-aspnetcore.
internal static bool VerifySignature(XmlDocument signedDocument, IdentityProvider? identityProvider = null){
//...SNIP...
SignedXml signedXml = new SignedXml(signedDocument);
if (identityProvider is not null)
{
bool validated = false;
foreach (var certificate in identityProvider.X509SigningCertificates){
var publicMetadataCert = new X509Certificate2(Convert.FromBase64String(certificate));
XmlNodeList nodeList = (signedDocument.GetElementsByTagName("ds:Signature")?.Count > 1) ?
signedDocument.GetElementsByTagName("ds:Signature") :
(signedDocument.GetElementsByTagName("ns2:Signature")?.Count > 1) ?
signedDocument.GetElementsByTagName("ns2:Signature") :
signedDocument.GetElementsByTagName("Signature");
signedXml.LoadXml((XmlElement)nodeList[0]);
validated |= signedXml.CheckSignature(publicMetadataCert, true);
}
return validated;
}
else{
XmlNodeList nodeList = (signedDocument.GetElementsByTagName("ds:Signature")?.Count > 0) ?
signedDocument.GetElementsByTagName("ds:Signature") :
signedDocument.GetElementsByTagName("Signature");
signedXml.LoadXml((XmlElement)nodeList[0]);
return signedXml.CheckSignature();
}
//...SNIP...
}
The parameter signedDocument contains the SAML response in XML format, while the parameter identityProvider can contain the IdP info. If the parameter identityProvider has been specified, the public certificates of that IdP are extracted, so as to force their use during the signature verification, otherwise the certificates configured within the application are used.
Next, a response envelope is generated nodeList within which all XML elements containing an XML signature of part or all of the SAML response envelope are saved.
Finally, the first element of this list, i.e. the first signature found, is extracted and verified.
In a normal authentication flow, the SAML response looks like this (note that some fields and attributes have been omitted for ease of reading):
<samlp:Response ID="response_id" IssueInstant="2025-01-07T13:37:00Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://demo.spid.gov.it/validator
</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#response_id">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>
<!-- DIGEST -->
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
<!-- SIGNATURE -->
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
<!-- CERTIFICATE -->
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="assertion_id" IssueInstant="2025-01-07T13:37:00Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://demo.spid.gov.it/validator
</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#assertion_id">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>
<!-- DIGEST -->
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
<!-- SIGNATURE -->
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
<!-- CERTIFICATE -->
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:AttributeStatement>
<saml:Attribute Name="spidCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
AGID-001
</saml:AttributeValue>
</saml:Attribute>
<!-- ... SNIP ... -->
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
The SDK code would get as the first element of the nodeList, that is nodeList[0], the signature referring to the entire SAML response, in fact the reference of the first signature <ds:Reference URI="#response_id"> points to the root object <samlp:Response ID="response_id" ...>. Therefore, verifying this signature will ensure that the entire content of the SAML response is intact and authentic.
However, there is no guarantee that the first signature refers to the root object, so if an attacker injects a signed element as the first element, all other signatures will not be verified. The only requirement is to have a legitimately signed XML element from the IdP, which is easily accomplished using the public metadata of the IdP.
The SAML response would be structured like this:
Impact
An attacker could craft an arbitrary SAML response that would be accepted by SPs using the vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user.
Complexity of the attack
The attacker needs an XML block containing a valid signature from one of the IdPs accepted by the SP. As described above, this requirement is satisfied by reading the public metadata of the IdP which is represented by a signed XML block of the IdP.
Related issues
N/A
PoC
- Clone the repository https://github.com/italia/spid-aspnetcore.git
- From the root of the project, enter the folder relating to the example webapp:
samples/1_SimpleSPWebApp/SPID.AspNetCore.WebApp/ - Change the value of the
AssertionConsumerServiceURLkey in the fileappsettings.jsonto a custom domain:https://$CUSTOM_DOMAIN:$CUSTOM_PORT/signin-spid - Compile and run the sample webapp using the following command, taking care to replace the placeholders with the same values used in step 3:
dotnet build "SPID.AspNetCore.WebApp.csproj" -o ./app/build && dotnet publish "SPID.AspNetCore.WebApp.csproj" -o ./app/publish && dotnet ./app/publish/SPID.AspNetCore.WebApp.dll -urls=https://$CUSTOM_DOMAIN:$CUSTOM_PORT - Visit URL:
https://$CUSTOM_DOMAIN:$CUSTOM_PORT/ - Click "Enter with SPID" > "DemoSpid" (second IdP in the list)
- Visit the "Response" > "Check Response" section
- Insert the following string into the "Audience" field (right column):
https://spid.aspnetcore.it/ - Click "Send response to Service Provider", note the redirect to
/home/loggedinand consequently the correct execution of the login on the example portal
- Repeat steps 5 to 8 inclusive
- Intercept the HTTP request generated in step 8 via an HTTP Proxy, such as PortSwigger's BurpSuite
- Perform URL-decoding and Base64-decoding of the POST
SAMLResponseparameter - Insert the content present at the following URL in the second line of the XML: https://demo.spid.gov.it/metadata.xml
- Change the contents of the tag
<saml:Assertion>, for example change theemailattribute to an arbitrary value:spid.tech@shielder.it - Run Base64-encoding and then URL-encoding the
SAMLResponseparameter - Send the request and note the redirect to
/home/loggedinwhich demonstrates the correct identification and therefore also the verification of the arbitrary signature inserted inSAMLResponsedespite the modification of the assertion
Recommended Solution
Verify all signatures within the SAML response and do not accept unsigned XML elements.
References
- https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html
Credits
Severity ?
9.1 (Critical)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.3.0"
},
"package": {
"ecosystem": "NuGet",
"name": "SPID.AspNetCore.Authentication"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24894"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-18T19:25:13Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Description\n\nAuthentication using Spid and CIE is based on the SAML2 standard which provides for two entities:\n\nIdentity Provider (IdP): the system that authenticates users and provides identity information ( SAML assertions ) to the Service Provider, essentially, it is responsible for managing user credentials and identity;\nService Provider (SP): The system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources.\nThe library `spid-aspnetcorerefers` to the second entity, i.e. the SP, and implements the validation logic of the SAML assertions present within the SAML response . The following is a summary diagram of an authentication flow via SAML:\n\n\n\nAs shown in the diagram, the IdP, after verifying the user\u0027s credentials, generates a signed SAML response, this is propagated to the SP by the user\u0027s browser and the SP, after verifying the signature, can extract the data needed to build the user\u0027s session.\n\nThe signature validation logic is central as it ensures that you cannot craft a SAML response with arbitrary assertions and thus impersonate other users.\n\nThe following is the validation code implemented in `spid-aspnetcore`.\n\n```csharp\ninternal static bool VerifySignature(XmlDocument signedDocument, IdentityProvider? identityProvider = null){\n //...SNIP...\n SignedXml signedXml = new SignedXml(signedDocument);\n if (identityProvider is not null)\n {\n bool validated = false;\n foreach (var certificate in identityProvider.X509SigningCertificates){\n var publicMetadataCert = new X509Certificate2(Convert.FromBase64String(certificate));\n XmlNodeList nodeList = (signedDocument.GetElementsByTagName(\"ds:Signature\")?.Count \u003e 1) ?\n signedDocument.GetElementsByTagName(\"ds:Signature\") :\n (signedDocument.GetElementsByTagName(\"ns2:Signature\")?.Count \u003e 1) ?\n signedDocument.GetElementsByTagName(\"ns2:Signature\") :\n signedDocument.GetElementsByTagName(\"Signature\");\n signedXml.LoadXml((XmlElement)nodeList[0]);\n validated |= signedXml.CheckSignature(publicMetadataCert, true);\n }\n return validated;\n }\n else{\n XmlNodeList nodeList = (signedDocument.GetElementsByTagName(\"ds:Signature\")?.Count \u003e 0) ?\n signedDocument.GetElementsByTagName(\"ds:Signature\") :\n signedDocument.GetElementsByTagName(\"Signature\");\n signedXml.LoadXml((XmlElement)nodeList[0]);\n return signedXml.CheckSignature();\n }\n //...SNIP...\n}\n```\n\nThe parameter `signedDocument` contains the SAML response in XML format, while the parameter `identityProvider` can contain the IdP info. If the parameter `identityProvider` has been specified, the public certificates of that IdP are extracted, so as to force their use during the signature verification, otherwise the certificates configured within the application are used.\n\nNext, a response envelope is generated nodeList within which all XML elements containing an XML signature of part or all of the SAML response envelope are saved.\n\nFinally, the first element of this list, i.e. the first signature found, is extracted and verified.\n\nIn a normal authentication flow, the SAML response looks like this (note that some fields and attributes have been omitted for ease of reading):\n\n```xml\n\u003csamlp:Response ID=\"response_id\" IssueInstant=\"2025-01-07T13:37:00Z\" Version=\"2.0\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"\u003e\n \u003csaml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\"\u003e\n https://demo.spid.gov.it/validator\n \u003c/saml:Issuer\u003e\n \u003cds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"\u003e\n \u003cds:SignedInfo\u003e\n \u003cds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/\u003e\n \u003cds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/\u003e\n \u003cds:Reference URI=\"#response_id\"\u003e\n \u003cds:Transforms\u003e\n \u003cds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/\u003e\n \u003c/ds:Transforms\u003e\n \u003cds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/\u003e\n \u003cds:DigestValue\u003e\n \u003c!-- DIGEST --\u003e\n \u003c/ds:DigestValue\u003e\n \u003c/ds:Reference\u003e\n \u003c/ds:SignedInfo\u003e\n \u003cds:SignatureValue\u003e\n \u003c!-- SIGNATURE --\u003e\n \u003c/ds:SignatureValue\u003e\n \u003cds:KeyInfo\u003e\n \u003cds:X509Data\u003e\n \u003cds:X509Certificate\u003e\n \u003c!-- CERTIFICATE --\u003e\n \u003c/ds:X509Certificate\u003e\n \u003c/ds:X509Data\u003e\n \u003c/ds:KeyInfo\u003e\n \u003c/ds:Signature\u003e\n \u003csamlp:Status\u003e\n \u003csamlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/\u003e\n \u003c/samlp:Status\u003e\n \u003csaml:Assertion ID=\"assertion_id\" IssueInstant=\"2025-01-07T13:37:00Z\" Version=\"2.0\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\u003e\n \u003csaml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\"\u003e\n https://demo.spid.gov.it/validator\n \u003c/saml:Issuer\u003e\n \u003cds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"\u003e\n \u003cds:SignedInfo\u003e\n \u003cds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/\u003e\n \u003cds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/\u003e\n \u003cds:Reference URI=\"#assertion_id\"\u003e\n \u003cds:Transforms\u003e\n \u003cds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/\u003e\n \u003c/ds:Transforms\u003e\n \u003cds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/\u003e\n \u003cds:DigestValue\u003e\n \u003c!-- DIGEST --\u003e\n \u003c/ds:DigestValue\u003e\n \u003c/ds:Reference\u003e\n \u003c/ds:SignedInfo\u003e\n \u003cds:SignatureValue\u003e\n \u003c!-- SIGNATURE --\u003e\n \u003c/ds:SignatureValue\u003e\n \u003cds:KeyInfo\u003e\n \u003cds:X509Data\u003e\n \u003cds:X509Certificate\u003e\n \u003c!-- CERTIFICATE --\u003e\n \u003c/ds:X509Certificate\u003e\n \u003c/ds:X509Data\u003e\n \u003c/ds:KeyInfo\u003e\n \u003c/ds:Signature\u003e\n \u003csaml:AttributeStatement\u003e\n \u003csaml:Attribute Name=\"spidCode\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\"\u003e\n \u003csaml:AttributeValue xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\"\u003e\n AGID-001\n \u003c/saml:AttributeValue\u003e\n \u003c/saml:Attribute\u003e\n \u003c!-- ... SNIP ... --\u003e\n \u003c/saml:AttributeStatement\u003e\n \u003c/saml:Assertion\u003e\n\u003c/samlp:Response\u003e\n```\n\nThe SDK code would get as the first element of the `nodeList`, that is `nodeList[0]`, the signature referring to the entire SAML response, in fact the reference of the first signature `\u003cds:Reference URI=\"#response_id\"\u003e` points to the root object `\u003csamlp:Response ID=\"response_id\" ...\u003e`. Therefore, verifying this signature will ensure that the entire content of the SAML response is intact and authentic.\n\nHowever, there is no guarantee that the first signature refers to the root object, so if an attacker injects a signed element as the first element, all other signatures will not be verified. The only requirement is to have a legitimately signed XML element from the IdP, which is easily accomplished using the public metadata of the IdP.\n\nThe SAML response would be structured like this:\n\n\n\n### Impact\nAn attacker could craft an arbitrary SAML response that would be accepted by SPs using the vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user.\n\n### Complexity of the attack\nThe attacker needs an XML block containing a valid signature from one of the IdPs accepted by the SP. As described above, this requirement is satisfied by reading the public metadata of the IdP which is represented by a signed XML block of the IdP.\n\n### Related issues\nN/A\n\n### PoC\n\n1. Clone the repository https://github.com/italia/spid-aspnetcore.git\n2. From the root of the project, enter the folder relating to the example webapp: `samples/1_SimpleSPWebApp/SPID.AspNetCore.WebApp/`\n3. Change the value of the `AssertionConsumerServiceURL` key in the file `appsettings.json` to a custom domain: `https://$CUSTOM_DOMAIN:$CUSTOM_PORT/signin-spid`\n4. Compile and run the sample webapp using the following command, taking care to replace the placeholders with the same values \u200b\u200bused in step 3: `dotnet build \"SPID.AspNetCore.WebApp.csproj\" -o ./app/build \u0026\u0026 dotnet publish \"SPID.AspNetCore.WebApp.csproj\" -o ./app/publish \u0026\u0026 dotnet ./app/publish/SPID.AspNetCore.WebApp.dll -urls=https://$CUSTOM_DOMAIN:$CUSTOM_PORT`\n5. Visit URL: `https://$CUSTOM_DOMAIN:$CUSTOM_PORT/`\n6. Click \"Enter with SPID\" \u003e \"DemoSpid\" (second IdP in the list)\n7. Visit the \"Response\" \u003e \"Check Response\" section\n8. Insert the following string into the \"Audience\" field (right column): `https://spid.aspnetcore.it/`\n9. Click \"Send response to Service Provider\", note the redirect to `/home/loggedin` and consequently the correct execution of the login on the example portal\n\n\n\n10. Repeat steps 5 to 8 inclusive\n11. Intercept the HTTP request generated in step 8 via an HTTP Proxy, such as PortSwigger\u0027s BurpSuite\n12. Perform URL-decoding and Base64-decoding of the POST `SAMLResponse` parameter\n13. Insert the content present at the following URL in the second line of the XML: https://demo.spid.gov.it/metadata.xml\n14. Change the contents of the tag `\u003csaml:Assertion\u003e`, for example change the `email` attribute to an arbitrary value: `spid.tech@shielder.it`\n15. Run Base64-encoding and then URL-encoding the `SAMLResponse` parameter\n16. Send the request and note the redirect to `/home/loggedin` which demonstrates the correct identification and therefore also the verification of the arbitrary signature inserted in `SAMLResponse` despite the modification of the assertion\n\n\n\n### Recommended Solution\n\nVerify all signatures within the SAML response and do not accept unsigned XML elements.\n\n### References\n\n- https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html\n\n### Credits\n- [Abdel Adim `smaury` Oisfi](https://x.com/smaury92) di [Shielder](https://www.shielder.com)\n- [Paolo`paupu` Cavagli\u00e0](https://x.com/paupu_95) di [Shielder](https://www.shielder.com)\n- [Nicola `fromveeko` Davico](https://x.com/fromveeko) di [Shielder](https://www.shielder.com)",
"id": "GHSA-36h8-r92j-w9vw",
"modified": "2025-02-18T19:25:13Z",
"published": "2025-02-18T19:25:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/italia/spid-aspnetcore/security/advisories/GHSA-36h8-r92j-w9vw"
},
{
"type": "WEB",
"url": "https://github.com/italia/spid-aspnetcore/commit/093efa2273f8a1e0481f678a0bfcd57fbdc7b029"
},
{
"type": "PACKAGE",
"url": "https://github.com/italia/spid-aspnetcore"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "The AspNetCore Remote Authenticator for SPID Allows SAML Response Signature Verification Bypass"
}
FKIE_CVE-2025-24894
Vulnerability from fkie_nvd - Published: 2025-02-18 19:15 - Updated: 2025-02-18 19:15
Severity ?
Summary
SPID.AspNetCore.Authentication is an AspNetCore Remote Authenticator for SPID. Authentication using Spid and CIE is based on the SAML2 standard which provides two entities: Identity Provider (IDP): the system that authenticates users and provides identity information (SAML affirmation) to the Service Provider, in essence, is responsible for the management of the credentials and identity of users; Service Provider (SP): the system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources. The validation logic of the signature is central as it ensures that you cannot create a SAML response with arbitrary assertions and then impersonate other users. There is no guarantee that the first signature refers to the root object, it follows that if an attacker injects an item signed as the first element, all other signatures will not be verified. The only requirement is to have an XML element legitimately signed by the IdP, a condition that is easily met using the IdP's public metadata. An attacker could create an arbitrary SAML response that would be accepted by SPs using vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user. This vulnerability has been addressed in version 3.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SPID.AspNetCore.Authentication is an AspNetCore Remote Authenticator for SPID. Authentication using Spid and CIE is based on the SAML2 standard which provides two entities: Identity Provider (IDP): the system that authenticates users and provides identity information (SAML affirmation) to the Service Provider, in essence, is responsible for the management of the credentials and identity of users; Service Provider (SP): the system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources. The validation logic of the signature is central as it ensures that you cannot create a SAML response with arbitrary assertions and then impersonate other users. There is no guarantee that the first signature refers to the root object, it follows that if an attacker injects an item signed as the first element, all other signatures will not be verified. The only requirement is to have an XML element legitimately signed by the IdP, a condition that is easily met using the IdP\u0027s public metadata. An attacker could create an arbitrary SAML response that would be accepted by SPs using vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user. This vulnerability has been addressed in version 3.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "SPID.AspNetCore.Authentication es un Autenticador Remoto AspNetCore para SPID. La autenticaci\u00f3n mediante Spid y CIE se basa en el est\u00e1ndar SAML2 que proporciona dos entidades: Proveedor de Identidad (IDP): el sistema que autentica a los usuarios y proporciona informaci\u00f3n de identidad (afirmaci\u00f3n SAML) al Proveedor de Servicios, en esencia, es responsable de la gesti\u00f3n de las credenciales e identidad de los usuarios; Proveedor de Servicios (SP): el sistema que proporciona un servicio al usuario y se basa en el Proveedor de Identidad para autenticar al usuario, recibe aserciones SAML del IdP para otorgar acceso a los recursos. La l\u00f3gica de validaci\u00f3n de la firma es central ya que asegura que no se puede crear una respuesta SAML con aserciones arbitrarias y luego suplantar a otros usuarios. No hay garant\u00eda de que la primera firma se refiera al objeto ra\u00edz, se deduce que si un atacante inyecta un elemento firmado como primer elemento, todas las dem\u00e1s firmas no ser\u00e1n verificadas. El \u00fanico requisito es tener un elemento XML firmado leg\u00edtimamente por el IdP, una condici\u00f3n que se cumple f\u00e1cilmente utilizando los metadatos p\u00fablicos del IdP. Un atacante podr\u00eda crear una respuesta SAML arbitraria que ser\u00eda aceptada por los SP utilizando SDK vulnerables, lo que le permitir\u00eda hacerse pasar por cualquier usuario de Spid y/o CIE. Esta vulnerabilidad se ha solucionado en la versi\u00f3n 3.4.0 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2025-24894",
"lastModified": "2025-02-18T19:15:28.090",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-02-18T19:15:28.090",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/italia/spid-aspnetcore/security/advisories/GHSA-36h8-r92j-w9vw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…