Security Experts:

Connect with us

Hi, what are you looking for?



Vulnerability in Lasso Library Impacts Products From Cisco, Akamai

A high-severity vulnerability discovered recently in an open source library named Lasso has been found to impact products from Cisco and Akamai, as well as Linux distributions.

A high-severity vulnerability discovered recently in an open source library named Lasso has been found to impact products from Cisco and Akamai, as well as Linux distributions.

Lasso — an acronym for Liberty Alliance Single Sign On — is a C library that implements Liberty Alliance and SAML (Security Assertion Markup Language) standards. It defines processes for federated identities, single sign-on (SSO) and other protocols.

The vulnerability, tracked as CVE-2021-28091, was initially reported to Akamai as it was discovered in the company’s Enterprise Application Access (EAA) product, which uses Lasso to verify SAML assertions for applications when a customer configures SAML authentication with third-party identity providers.

Further analysis by Akamai showed that the flaw, which allows an attacker to impersonate valid users, was introduced by the use of Lasso and products from other vendors are affected as well.

“This vulnerability potentially allowed actors with access to a well-formed SAML response for an organization–typically authenticated users, but potentially compromised endpoints or malicious proxies–to modify their identity and impersonate another user within the same organization,” Akamai explained.

It added, “To exploit this issue, the attacker would need to have had a valid credential for an [identity provider] or have obtained the credentials to authenticate as a valid user. We categorize the potential impact in four ways – enabling impersonated network access — both unauthenticated and authenticated — impersonated application access, and an alternative Lasso dependency for applications that rely on the Lasso library.”

Akamai determined that the vulnerability also impacts the SOGo and PacketFence packages maintained by Inverse, which Akamai acquired recently.

The Best Buy Enterprise Information Protection team and Sam Tinklenberg have been credited for finding the vulnerability. They informed Akamai about its existence on February 23, 2021.

Akamai has made available technical information about the issue. The company noted that the same vulnerability, known as XML Signature Wrapping, has been reported several times over the past years, and it appears to have existed in the Lasso codebase since 2005.

Cisco has also confirmed the use of the Lasso library and the networking giant is working on determining which of its products are impacted. Currently, Cisco’s advisory lists Adaptive Security Appliance (ASA), Content Security Management Appliance (SMA), Email Security Appliance (ESA), FXOS software, Web Security Appliance (WSA), and Firepower Threat Defense (FTD) as being affected.

Linux distributions Red Hat, Ubuntu and Debian have also released advisories for CVE-2021-28091.

Other vendors may be affected as well. The CERT Coordination Center (CERT/CC) at Carnegie Mellon University was involved in the vulnerability disclosure process, but it has yet to release its own advisory. CERT/CC advisories typically contain a list of all vendors that are or may be impacted.

Lasso developers patched the vulnerability on June 1 with the release of version 2.7.0. Akamai released patches for its EAA product in early March and Cisco has also started releasing fixes.

Related: Widespread Vulnerability Found in Single-Sign-On Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.