CVE-2024-45409 Overview
CVE-2024-45409 is a critical authentication bypass vulnerability in the Ruby SAML library, which is widely used for implementing the client side of SAML authorization in Ruby applications. The vulnerability stems from improper verification of SAML Response signatures, allowing unauthenticated attackers to forge SAML assertions and gain unauthorized access to vulnerable systems.
The Ruby-SAML library versions 12.2 and earlier, as well as versions 1.13.0 through 1.16.0, fail to properly validate the signature of SAML Response documents. An attacker who has access to any legitimately signed SAML document from the Identity Provider (IdP) can exploit this flaw to craft a forged SAML Response or Assertion with arbitrary contents, effectively bypassing authentication and logging in as any user.
Critical Impact
Unauthenticated attackers can forge SAML assertions to impersonate any user, leading to complete authentication bypass and unauthorized access to systems using vulnerable Ruby SAML implementations.
Affected Products
- OneLogin Ruby-SAML versions ≤ 12.2 and versions 1.13.0 through 1.16.0
- OmniAuth SAML (omniauth-saml) versions prior to patched releases
- GitLab instances using vulnerable Ruby-SAML versions
Discovery Timeline
- September 10, 2024 - CVE-2024-45409 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-45409
Vulnerability Analysis
This vulnerability is classified as CWE-347 (Improper Verification of Cryptographic Signature), representing a fundamental flaw in how the Ruby SAML library processes XML digital signatures. The core issue lies in the signature verification logic within lib/xml_security.rb, where XPath queries used overly broad selectors that could be manipulated by attackers.
The vulnerable code used //ds:Reference XPath expressions (double-slash prefix indicating descendant-or-self axis) instead of relative paths like ./ds:Reference, allowing attackers to inject additional XML elements with matching signatures. Additionally, the code failed to validate that only one element with a given ID exists in the document, enabling classic XML Signature Wrapping attacks.
Root Cause
The root cause is improper XPath query construction in the signature verification process. The vulnerable implementation:
- Used absolute XPath queries (//ds:Reference) instead of relative queries (./ds:Reference) when locating signature references
- Failed to verify that exactly one element matches the signed element ID
- Did not properly scope XPath queries to the SignedInfo element context
These flaws allowed attackers to insert additional XML elements with duplicate IDs, causing the library to verify the signature of a legitimately signed element while processing the attacker-controlled content.
Attack Vector
The attack exploits XML Signature Wrapping, a well-known vulnerability class in SAML implementations. The attack requires the attacker to have access to any validly signed SAML document from the target IdP. The attacker then:
- Obtains a legitimately signed SAML Response from the IdP
- Creates a forged SAML Response with arbitrary user attributes
- Wraps the original signed content in a way that signature verification passes on the original content
- The application processes the forged assertion instead of the verified one, granting access as an arbitrary user
# Security patch demonstrating the fix in lib/xml_security.rb
# Source: https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7
canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
noko_sig_element.remove
+ # get signed info
+ signed_info_element = REXML::XPath.first(
+ sig_element,
+ "./ds:SignedInfo",
+ { "ds" => DSIG }
+ )
# get inclusive namespaces
inclusive_namespaces = extract_inclusive_namespaces
# check digests
- ref = REXML::XPath.first(sig_element, "//ds:Reference", {"ds"=>DSIG})
+ ref = REXML::XPath.first(signed_info_element, "./ds:Reference", {"ds"=>DSIG})
- hashed_element = document.at_xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
+ reference_nodes = document.xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
+
+ if reference_nodes.length > 1 # ensures no elements with same ID to prevent signature wrapping attack.
+ return append_error("Digest Mismatch", soft)
+ end
+
+ hashed_element = reference_nodes[0]
canon_algorithm = canon_algorithm REXML::XPath.first(
- ref,
- '//ds:CanonicalizationMethod',
+ signed_info_element,
+ './ds:CanonicalizationMethod',
Detection Methods for CVE-2024-45409
Indicators of Compromise
- Unexpected user authentication events, particularly for privileged accounts, originating from unusual sources
- SAML Response documents containing duplicate ID attributes within the same XML structure
- Authentication logs showing successful logins without corresponding IdP-initiated authentication flows
- Anomalous session creation patterns where users appear to authenticate without standard SSO workflows
Detection Strategies
- Implement application-layer logging that captures full SAML Response documents for forensic analysis
- Monitor for authentication attempts where the SAML assertion username differs from expected patterns or contains suspicious values
- Deploy Web Application Firewall (WAF) rules to detect malformed SAML responses with duplicate ID attributes
- Analyze authentication logs for sessions created without proper IdP correlation
Monitoring Recommendations
- Enable verbose SAML debugging logs temporarily during vulnerability assessment periods
- Set up alerts for authentication events from high-privilege accounts that bypass expected MFA flows
- Monitor Ruby-SAML library versions in deployment manifests and dependency files using SCA tools
- Implement real-time correlation between IdP authentication events and SP session creation
How to Mitigate CVE-2024-45409
Immediate Actions Required
- Upgrade Ruby-SAML to version 1.17.0 or 1.12.3 immediately to address the signature verification flaw
- Audit all applications using OmniAuth-SAML and ensure they pull the patched Ruby-SAML dependency
- Review authentication logs for signs of exploitation, particularly unexpected admin account access
- Consider temporarily disabling SAML authentication and using alternative methods until patching is complete
Patch Information
The vulnerability has been addressed in Ruby-SAML versions 1.17.0 (for the 1.x branch) and 1.12.3 (for the legacy branch). The fix modifies the XPath query behavior in lib/xml_security.rb to use relative paths and validates that only one element exists with the referenced ID. Organizations should update their Gemfile to specify the patched versions:
- For detailed patch changes, see the Ruby-SAML Security Advisory
- OmniAuth-SAML users should reference the OmniAuth-SAML Security Advisory
- GitLab users should update to patched GitLab releases that include the fixed Ruby-SAML dependency
Workarounds
- If immediate patching is not possible, disable SAML-based authentication and use alternative authentication mechanisms temporarily
- Implement network-level restrictions to limit SAML endpoint access to known, trusted IdP sources only
- Configure IdP settings to sign both the SAML Response and Assertion elements, adding defense-in-depth
- Deploy additional authentication factors that do not rely on SAML assertion contents
# Update Ruby-SAML to patched version
bundle update ruby-saml
# Alternatively, specify exact version in Gemfile
echo "gem 'ruby-saml', '>= 1.17.0'" >> Gemfile
bundle install
# Verify installed version
bundle show ruby-saml
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
