Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerability in Lasso Library Impacts Products From Cisco, Akamai

A high-severity vulnerability discovered recently in an open source library named Lasso has been found to impact products from Cisco and Akamai, as well as Linux distributions.

A high-severity vulnerability discovered recently in an open source library named Lasso has been found to impact products from Cisco and Akamai, as well as Linux distributions.

Lasso — an acronym for Liberty Alliance Single Sign On — is a C library that implements Liberty Alliance and SAML (Security Assertion Markup Language) standards. It defines processes for federated identities, single sign-on (SSO) and other protocols.

The vulnerability, tracked as CVE-2021-28091, was initially reported to Akamai as it was discovered in the company’s Enterprise Application Access (EAA) product, which uses Lasso to verify SAML assertions for applications when a customer configures SAML authentication with third-party identity providers.

Further analysis by Akamai showed that the flaw, which allows an attacker to impersonate valid users, was introduced by the use of Lasso and products from other vendors are affected as well.

“This vulnerability potentially allowed actors with access to a well-formed SAML response for an organization–typically authenticated users, but potentially compromised endpoints or malicious proxies–to modify their identity and impersonate another user within the same organization,” Akamai explained.

It added, “To exploit this issue, the attacker would need to have had a valid credential for an [identity provider] or have obtained the credentials to authenticate as a valid user. We categorize the potential impact in four ways – enabling impersonated network access — both unauthenticated and authenticated — impersonated application access, and an alternative Lasso dependency for applications that rely on the Lasso library.”

Akamai determined that the vulnerability also impacts the SOGo and PacketFence packages maintained by Inverse, which Akamai acquired recently.

The Best Buy Enterprise Information Protection team and Sam Tinklenberg have been credited for finding the vulnerability. They informed Akamai about its existence on February 23, 2021.

Advertisement. Scroll to continue reading.

Akamai has made available technical information about the issue. The company noted that the same vulnerability, known as XML Signature Wrapping, has been reported several times over the past years, and it appears to have existed in the Lasso codebase since 2005.

Cisco has also confirmed the use of the Lasso library and the networking giant is working on determining which of its products are impacted. Currently, Cisco’s advisory lists Adaptive Security Appliance (ASA), Content Security Management Appliance (SMA), Email Security Appliance (ESA), FXOS software, Web Security Appliance (WSA), and Firepower Threat Defense (FTD) as being affected.

Linux distributions Red Hat, Ubuntu and Debian have also released advisories for CVE-2021-28091.

Other vendors may be affected as well. The CERT Coordination Center (CERT/CC) at Carnegie Mellon University was involved in the vulnerability disclosure process, but it has yet to release its own advisory. CERT/CC advisories typically contain a list of all vendors that are or may be impacted.

Lasso developers patched the vulnerability on June 1 with the release of version 2.7.0. Akamai released patches for its EAA product in early March and Cisco has also started releasing fixes.

Related: Widespread Vulnerability Found in Single-Sign-On Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.