CVE-2017-11428 in Ruby-saml
Summary
by MITRE
OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/28/2025
The vulnerability identified as CVE-2017-11428 affects OneLogin Ruby-SAML version 1.6.0 and earlier implementations, presenting a critical security flaw in SAML authentication systems. This issue stems from improper handling of XML DOM traversal and canonicalization operations within the Ruby-SAML library, which forms the foundation for SAML service provider implementations. The flaw allows attackers to manipulate SAML assertion data while maintaining the validity of cryptographic signatures, creating a significant bypass opportunity for authentication systems that rely on this library.
The technical root cause of this vulnerability lies in how the library processes XML canonicalization during SAML assertion validation. When XML documents are canonicalized for signature verification, the Ruby-SAML library fails to properly enforce strict XML parsing and traversal rules. This weakness enables attackers to craft malicious SAML assertions where specific XML elements can be reordered, duplicated, or modified without breaking the cryptographic signature verification process. The canonicalization process should produce deterministic output for identical XML structures, but the flawed implementation allows for non-deterministic behavior that attackers can exploit.
From an operational impact perspective, this vulnerability creates a severe risk for organizations relying on SAML-based single sign-on implementations. Attackers can manipulate various SAML assertion attributes including user identity claims, roles, permissions, and session attributes while maintaining signature validity. This enables unauthorized access to protected applications and services, potentially leading to complete system compromise. The vulnerability is particularly dangerous because it operates silently, allowing attackers to bypass authentication mechanisms without generating detectable anomalies in the authentication logs.
The attack vector typically involves crafting specially formatted SAML assertions that exploit the XML canonicalization weakness to insert malicious data. According to CWE-295, this vulnerability relates to improper certificate validation and can be classified under CWE-347, which addresses improper handling of canonicalization. The flaw aligns with ATT&CK technique T1550.001, which covers use of valid credentials for unauthorized access, as attackers can effectively bypass authentication controls through signature manipulation. Organizations using vulnerable versions of Ruby-SAML should immediately implement mitigations including upgrading to patched versions, implementing additional validation layers, and monitoring for suspicious authentication patterns.
Mitigation strategies should include immediate upgrade to OneLogin Ruby-SAML versions that address this canonicalization flaw, implementation of additional XML parsing validation checks, and deployment of signature validation monitoring systems. Security teams should also consider implementing automated detection mechanisms that can identify malformed SAML assertions and monitor for unusual attribute modifications in authentication flows. Organizations should review their SAML implementation configurations and ensure that XML canonicalization settings are properly enforced to prevent similar vulnerabilities from manifesting in other components of their authentication infrastructure.