Recent vulnerabilities in .NET libraries used for SPID and CIE authentication have been discovered. The issue, reported to CERT-AGID by Shielder, affects Service Providers using these libraries, allowing attackers to forge SAML responses and impersonate users. Service Providers are advised to update to secure library versions and verify SAML response controls. Affected: SPID, CIE, Service Providers
Keypoints :
- Vulnerabilities found in .NET libraries for SPID and CIE authentication.
- Libraries were developed in a 2017 challenge and are hosted on Github.
- Reported by Shielder to CERT-AGID regarding SAML response verification mechanism.
- Affects only Service Providers implementing SPID or CIE authentication with these libraries.
- Vulnerability allows arbitrary SAML response generation for user impersonation.
- Two vulnerable libraries have been deprecated and replaced with secure versions.
- A third library has been completely withdrawn.
- AgID introduced new controls in the SAML SP Validator for SPID to detect SAML response anomalies.
- Service Providers are urged to upgrade to the latest library versions and check SAML controls closely.
MITRE Techniques :
- TA0001: Initial Access – Attackers exploit vulnerabilities in authentication libraries to gain entry.
- T1071.001: Application Layer Protocol: Web Protocols – Vulnerabilities in web-based authentication mechanisms were exploited.
- TA0011: Command and Control – Potential for compromised user accounts leading to further exploitation.
Indicator of Compromise :
- [Domain] github.com
- [IOC Type] Library Version – Specific library versions should be checked for vulnerabilities.
Full Story: https://cert-agid.gov.it/news/risolte-vulnerabilita-nelle-librerie-net-per-spid-e-cie/