A high-severity vulnerability discovered recently in an open source library named Lasso has been found to impact products from Cisco and Akamai, as well as Linux distributions.
Lasso — an acronym for Liberty Alliance Single Sign On — is a C library that implements Liberty Alliance and SAML (Security Assertion Markup Language) standards. It defines processes for federated identities, single sign-on (SSO) and other protocols.
The vulnerability, tracked as CVE-2021-28091, was initially reported to Akamai as it was discovered in the company’s Enterprise Application Access (EAA) product, which uses Lasso to verify SAML assertions for applications when a customer configures SAML authentication with third-party identity providers.
Further analysis by Akamai showed that the flaw, which allows an attacker to impersonate valid users, was introduced by the use of Lasso and products from other vendors are affected as well.
“This vulnerability potentially allowed actors with access to a well-formed SAML response for an organization–typically authenticated users, but potentially compromised endpoints or malicious proxies–to modify their identity and impersonate another user within the same organization,” Akamai explained.
It added, “To exploit this issue, the attacker would need to have had a valid credential for an [identity provider] or have obtained the credentials to authenticate as a valid user. We categorize the potential impact in four ways – enabling impersonated network access — both unauthenticated and authenticated — impersonated application access, and an alternative Lasso dependency for applications that rely on the Lasso library.”
Akamai determined that the vulnerability also impacts the SOGo and PacketFence packages maintained by Inverse, which Akamai acquired recently.
The Best Buy Enterprise Information Protection team and Sam Tinklenberg have been credited for finding the vulnerability. They informed Akamai about its existence on February 23, 2021.
Akamai has made available technical information about the issue. The company noted that the same vulnerability, known as XML Signature Wrapping, has been reported several times over the past years, and it appears to have existed in the Lasso codebase since 2005.
Cisco has also confirmed the use of the Lasso library and the networking giant is working on determining which of its products are impacted. Currently, Cisco’s advisory lists Adaptive Security Appliance (ASA), Content Security Management Appliance (SMA), Email Security Appliance (ESA), FXOS software, Web Security Appliance (WSA), and Firepower Threat Defense (FTD) as being affected.
Linux distributions Red Hat, Ubuntu and Debian have also released advisories for CVE-2021-28091.
Other vendors may be affected as well. The CERT Coordination Center (CERT/CC) at Carnegie Mellon University was involved in the vulnerability disclosure process, but it has yet to release its own advisory. CERT/CC advisories typically contain a list of all vendors that are or may be impacted.
Lasso developers patched the vulnerability on June 1 with the release of version 2.7.0. Akamai released patches for its EAA product in early March and Cisco has also started releasing fixes.
Related: Widespread Vulnerability Found in Single-Sign-On Products

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
