How the Critical Golang XML parser bug cause SAML authentication bypass?
Security researchers at Mattermost, coordinating with the Go security team disclosed three critical vulnerabilities within the Go languages XML parser. If exploited, these vulnerabilities can lead to a complete bypass of Security Assertion Mark-up Language (SAML) authentication, as the vulnerabilities impact Go’s implementation of SAML.
The XML round-trip vulnerabilities listed below exist within Go’s XML’S parser “encoding/XML”, which does not return reliable results when encoding and decoding input from XML. Meaning inconsistent and unexpected results may return from the parser. If an application uses the XML parser, the encoder and decoder will not preserve the semantics of the original mark-up.
As this may seem trivial, but multiple applications rely on semantic integrity. In this context, an attacker can trick the XML parser to bypass SAML authentication completely. SAML is a web authentication standard used by multiple, prominent websites and services to facilitate easier online sign-in that uses XML.
The CVE advisories can be found here:
- CVE-2020-29509: XML attribute instability in Go’s encoding/xml
- CVE-2020-29510: XML directive instability in Go’s encoding/xml
- CVE-2020-29511: XML element instability in Go’s encoding/xml
Successful exploitation of this vulnerability can result in privilege escalation or authentication bypass, depending on how the vulnerable application uses the XML parser.
The Go Security Team has stated that there is no patch available to adequately patch these vulnerabilities. The current remediation available is insufficient to guarantee XML parsing reliability.
The Mattermost team has provided a tool called “XML-roundtrip-validator”, that can be used as a workaround when implementing XML validation in an application.
There are also some fixed versions for some individual Go-based SAML projects, which can be found here: