Patch/Mitigate Vulnerability in SimpleSAMLphp
This alert is intended for the U-M Security Community and U-M IT professionals who may be responsible for sites that could be impacted by a vulnerability in SimpleSAMLphp. Please share with any website, web application, or web server administrators within your unit, as appropriate.
Summary
This alert is an update to the ITS IA Security Advisory: Prepare to Respond to Vulnerability in SimpleSAMLphp. This update includes information about patches that have been released for certain versions, as well as relevant updates or mitigation.
Problem
The SimpleSAMLphp vulnerability has been identified and patches have been released to address a High severity XML External Entity (XXE) vulnerability. SimpleSAML php is often included in higher-level software, such as authentication plugins/modules for Drupal, WordPress, and other web applications.It is unclear at this time how this vulnerability may be exploited, however, it is important to take action and apply available patches or mitigate due to the high severity.
Affected Versions
SimpleSAMLphp Software:
- Versions of 2.3.x prior to 2.3.4
- Versions of 2.2.x prior to 2.2.4
- Versions of 2.1.x prior to 2.1.7
- Versions 2.0.14 and 1.x are no longer maintained and did not get patched. If you have one of these versions installed, upgrade to 2.3.5, 2.2.4, or 2.1.7 as soon as possible.
- Version 2.3.5 has also been released to address a bug in 2.3.4.
Some websites need to upgrade SimpleSAMLphp separately from any plugin/module that uses it. Examples include:
- WP SAML Auth comes with the OneLogin SAML library, which is not vulnerable, however the vendor’s documentation specifically states to replace OneLogin with SimpleSAMLphp when integrating with a Shibboleth IdP.
- Drupal simpleSAMLphp Authentication module needs to be upgraded separately.
Composer-managed websites will need to run Composer to update the installed version of SimpleSAMLphp if SimpleSAMLphp is listed as a Composer package dependency rather than included with the authentication package itself.
The SimpleSAMLphp advisory includes a mitigation that requires hand-editing a PHP file on the web server. Note: If utilizing this mitigation in lieu of updating SimpleSAMLphp, it is important to test appropriately before implementing it.
Action Items
As appropriate, apply patches that have been released for affected software versions, upgrade SimpleSAMLphp for websites that include it as a plugin or module, or run a Composer update.
Alternatively, utilize the mitigation provided in the SimpleSAMLphp advisory while ensuring thorough testing is completed before implementation.
The following WILL need to be updated:
- SimpleSAMLphp library (if you are using it directly in your code)
- If you have manually installed it for use with another plugin or module, for example, the WP SAML Auth WordPress pluginDrupalauth module for Drupal
- simpleSAML module for Drupal
The following ARE NOT vulnerable:
- SAMLauth Drupal module
- openid_connect Drupal module
- Shibboleth WordPress plugin
- miniorange-saml-20-single-sign-on WordPress plugin
- umichauth-wp WordPress plugin
- UMich OIDC Login or Daggerhart OpenID Connect Generic plugin for WordPress.
How We Protect U-M
CrowdStrike Falcon should be installed on all UM-owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Installing and running the Falcon sensor is particularly important on systems such as web servers, which may be exposed to internet traffic. If you run into problems installing Falcon, contact Information Assurance with an Endpoint Protection ticket through the ITS Service Center.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- XXE in parsing SAML messages (SimpleSAMLphp.org)
- CVE-2024-52806 (Tenable.com)
- CVE-2024-52596 (Tenable.com)
- CVE-2024-52596 Detail (NIST.gov)