Siemens Mendix SAML Module
Plan Patch7.4ICS-CERT ICSA-22-258-04Sep 13, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
The Mendix SAML module insufficiently protects from packet capture replay attacks. An attacker could capture SAML authentication packets and replay them to bypass authentication and gain unauthorized access to the application. The vulnerability exists in multiple versions across Mendix 7, 8, and 9 compatible modules. Two related CVEs address the issue: CVE-2022-37011 (main vulnerability) and CVE-2022-44457 (incomplete fix when non-default "Allow IdP Initiated Authentication" configuration is enabled).
What this means
What could happen
An attacker could replay captured SAML authentication packets to bypass authentication and gain unauthorized access to applications using the Mendix SAML module. This could allow unauthorized users to access the application and its underlying data or functionality without valid credentials.
Who's at risk
Organizations running applications built on the Mendix platform that use the SAML module for authentication. This affects web applications and integration points across all Mendix versions (7, 8, and 9). Any business process or data system relying on Mendix SAML for access control is at risk.
How it could be exploited
An attacker with the ability to capture network traffic (via man-in-the-middle position or network sniffing) could intercept SAML authentication packets. The attacker then replays the captured packet to the application, which accepts it due to insufficient replay protection, allowing authentication bypass and unauthorized access.
Prerequisites
- Network access to capture SAML authentication traffic (man-in-the-middle or network sniffer position)
- Application must use Mendix SAML module for authentication
- Vulnerability is more severe when non-default 'Allow IdP Initiated Authentication' configuration is enabled
remotely exploitableno authentication required (for replay)high attack complexityaffects authentication mechanism
Exploitability
Low exploit probability (EPSS 0.9%)
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
Mendix SAML (Mendix 7 compatible)<V1.17.01.17.0
Mendix SAML (Mendix 7 compatible)≥ V1.17.0 <V1.17.21.17.2
Mendix SAML (Mendix 8 compatible)<V2.3.02.3.0
Mendix SAML (Mendix 8 compatible)≥ V2.3.0 <V2.3.22.3.2
Mendix SAML (Mendix 9 compatible, New Track)<V3.3.13.3.1
Mendix SAML (Mendix 9 compatible, New Track)≥ V3.3.1 <V3.3.53.3.5
Mendix SAML (Mendix 9 compatible, Upgrade Track)<V3.3.03.3.0
Mendix SAML (Mendix 9 compatible, Upgrade Track)≥ V3.3.0 <V3.3.43.3.4
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDIf unable to patch immediately, disable the non-default 'Allow IdP Initiated Authentication' configuration option to reduce vulnerability exposure
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
Mendix SAML (Mendix 7 compatible)
HOTFIXUpdate Mendix SAML Module (Mendix 7 compatible) to version 1.17.2 or later to address both CVE-2022-37011 and CVE-2022-44457
Mendix SAML (Mendix 8 compatible)
HOTFIXUpdate Mendix SAML Module (Mendix 8 compatible) to version 2.3.2 or later to address both CVE-2022-37011 and CVE-2022-44457
Mendix SAML (Mendix 9 compatible, New Track)
HOTFIXUpdate Mendix SAML Module (Mendix 9 compatible, New Track) to version 3.3.5 or later to address both CVE-2022-37011 and CVE-2022-44457
Mendix SAML (Mendix 9 compatible, Upgrade Track)
HOTFIXUpdate Mendix SAML Module (Mendix 9 compatible, Upgrade Track) to version 3.3.4 or later to address both CVE-2022-37011 and CVE-2022-44457
Long-term hardening
0/2HARDENINGImplement network access controls to restrict SAML traffic and limit exposure to trusted identity providers and authenticated endpoints
HARDENINGPlace the application and its network behind a firewall, isolating it from untrusted networks and the Internet
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/618dcc79-cee9-4eb7-90ac-274691bc5fd3