Full Report
The Mendix SAML module insufficiently verifies the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application. Mendix has provided fix releases for the Mendix SAML module and recommends to update to the latest version. Note: For compatibility reasons, fixes for several versions of the Mendix SAML module were introduced in two release steps: The first fix versions address CVE-2023-25957. It removes the vulnerability, except when the recommended, default configuration option 'Use Encryption' is disabled. The second fix versions address CVE-2023-29129, which removes the issue for the non default configuration as well.
Analysis Summary
# Vulnerability: Authentication Bypass in Mendix SAML Module via Insufficient SAML Assertion Verification
## CVE Details
- CVE ID: CVE-2023-25957, CVE-2023-29129
- CVSS Score: 9.1 (CRITICAL)
- CWE: CWE-303: Incorrect Implementation of Authentication Algorithm
## Affected Systems
- Products: Mendix SAML module (Mendix 7 compatible)
- Versions: All versions prior to the specified fix releases (including versions $< V3.3.14$ that are only affected by CVE-2023-29129, and specific versions listed in the advisory for CVE-2023-25957)
- Configurations:
- **CVE-2023-25957:** Vulnerable unless the recommended, default configuration option `'Use Encryption'` is enabled.
- **CVE-2023-29129:** Affects non-default configurations where the issue from CVE-2023-25957 persisted after the first fix stage.
## Vulnerability Description
The Mendix SAML module insufficiently verifies SAML assertions. This flaw allows unauthenticated remote attackers to bypass the application's authentication mechanisms and gain unauthorized access. This vulnerability was addressed in two stages: the first fix addressed the issue except when encryption was disabled, and the second fix closed the loophole related to certain non-default configurations (where encryption might have been disabled).
## Exploitation
- Status: PoC information is implied by the high CVSS score and the explicit inclusion of an 'E:P' (Proof-of-Concept) component in the CVSS vector for both CVEs, suggesting exploitability often exists when fixed versions are not deployed. It is not explicitly stated as "Exploited in the wild."
- Complexity: Low (AC:L)
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: High (C:H)
- Integrity: High (I:H)
- Availability: None (A:N)
(The high impact stems from successful unauthenticated access leading to potential data compromise and manipulation.)
## Remediation
### Patches
Mendix has provided fix releases addressing both CVEs. Users should update to the latest version available for their specific Mendix 7 compatible module.
**Example Fix Releases Cited (Partial List, Users must consult original advisory for complete list):**
* For the second fix stage (CVE-2023-29129 neutralization): Update to **V3.3.14 or later** version (for one branch of the module).
### Workarounds
No specific workarounds beyond applying the patch are detailed, other than the implied mitigation that **enabling the 'Use Encryption' default option** mitigates CVE-2023-25957 on partially fixed versions.
## Detection
- Indicators of Compromise: Unauthorized access attempts or successful logins originating from external, unauthenticated sources using SAML assertions.
- Detection methods and tools: Monitor SAML traffic for improperly formed or manipulated assertions targeting the application. Full mitigation requires patching.
## References
- Vendor advisories: SSA-851884
- Relevant links - defanged:
- [https://cert-portal.siemens.com/productcert/html/ssa-851884.html](https://cert-portal.siemens.com/productcert/html/ssa-851884.html)
- [https://marketplace.mendix.com/link/component/1174](https://marketplace.mendix.com/link/component/1174)