SOGo and PacketFence Impacted by SAML Implementation Vulnerabilities
Part of Akamai's incident management process for vulnerabilities in third party software involves verifying potential impact in other systems using the same or similar libraries. While following that process when addressing the SAML impersonation vulnerability, CVE-2021-28091, which impacted Akamai's Enterprise Application Access (EAA) platform, incident responders assessed the impact on other Akamai software including the code maintained by Inverse, who Akamai recently acquired.
During the impact review of Inverse, we determined that the SOGo and PacketFence packages use the vulnerable Lasso library and were impacted. SOGo and PacketFence are both open source packages which offer paid support contracts. Both packages use the Lasso library to integrate with SAML Identity Providers (IdPs), and thus were vulnerable to CVE-2021-28091 when SAML was used to authenticate users. The SOGo package both used the vulnerable Lasso library and had its own vulnerability related to the way it used the Lasso library, which has been assigned the CVE ID CVE-2021-33054. In both cases, only deployments which use SAML to authenticate its users were impacted by these vulnerabilities. We explain the impact and actions required for each package below.
The PacketFence package uses Lasso to parse SAML responses when SAML is used to authenticate users on its captive portal. The vulnerability in the Lasso library potentially allowed actors with access to a well-formed SAML response for an organization--typically, authenticated users but potentially compromised endpoints or malicious proxies--to modify their identity and impersonate another user within the same organization.
PacketFence actions required
Akamai recommends that administrators of PacketFence deployments update their versions of Lasso to version 2.7.0 or later, which is available on the Lasso project page. This should be available shortly, if not already, from the major Linux package managers as well. After patching, the PacketFence process would need to be restarted to ensure that the update is completed.
For deployments of PacketFence which use SAML to authenticate users, Akamai recommends the following actions after updating the Lasso dependency:
- Removing all existing authorizations for all devices which have been authenticated using SAML, triggering re-authentication of all devices.
- Review PacketFence's access configurations to assess if an impersonated user would have allowed additional access to resources on your network beyond what the legitimate user would have been able to access.
- For cases where there may be unauthorized access, review those applications further. Review of access logs or other related information may help identify potentially unexpected changes.
The SOGo package uses Lasso to parse SAML responses when SAML is used to authenticate end users to its services. In reviewing SOGo's source code, Akamai identified an additional vulnerability which has been assigned the CVE ID CVE-2021-33054. As with PacketFence, this vulnerability is related to authenticating users, but after the investigation, we determined that SOGo was not validating the signatures of any SAML assertions it received. This means any actor with network access to the deployment could impersonate users when SAML was the authentication method. This vulnerability was introduced on April 5th, 2013 when this commit was made, disabling verification of SAML responses. This vulnerability was fixed in this commit and a new release of the SOGo package, version v5.1.1 has been released including this fix. For users still on the v2 release of SOGo, v2.4.1 was also released which includes a fix for this vulnerability.
SOGo actions required
Akamai recommends that administrators of SOGo deployments update SOGo to version 2.4.1 or version 5.1.1 or later and to update the Lasso library to version 2.7.0 or later. The fix to SOGo has been pushed to the SOGo repository in GitHub. Updated versions of Lasso should be available in most major Linux package managers, if not already available, in the next day or so as well. It is imperative that both updates are completed in order to fix the SOGo specific vulnerability and the vulnerability in Lasso for deployments using SAML. After patching, the SOGo process would need to be restarted to ensure that the update is completed.
For deployments of SOGo which use SAML to authenticate users, Akamai recommends the following actions after updating SOGo and the Lasso library:
- Invalidate all current user sessions to the service. Instructions on how to do this can be found here.
- Administrators should review their access logs for potentially inconsistent accesses to their SOGo deployments which may be indicative of impersonated access. Impersonated access would not be directly visible in the application logs as conditions that would indicate exploitation of this vulnerability were not logged.
Because these vulnerabilities are directly linked to the Lasso-related EAA vulnerability, Akamai included the impact to SoGo and PacketFence in the embargoed disclosure statement. While a partial fix to the SOGo package would have been possible prior to the publication date, publishing the partial SOGo fix may have resulted in extra scrutiny of the Lasso library. This could have accelerated the responsible disclosure timeline, endangering the patching of other impacted parties.
For a detailed overview of the Lasso vulnerability, we have posted the vulnerability details in a companion blog post.
SOGo and PacketFence users with support contracts who have questions about the fixes should contact Inverse's support team through the web portal or their support phone number.