Siemens Mendix SAML Module
Act Now9.1ICS-CERT ICSA-23-075-05Mar 14, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The Mendix SAML module insufficiently verifies SAML assertions, allowing unauthenticated remote attackers to forge SAML responses and bypass authentication to gain unauthorized access to the application. The vulnerability exists in the assertion validation logic and is more severe when the 'Use Encryption' configuration option is disabled. Two rounds of fixes address different aspects: earlier patches address the vulnerability only when encryption is enabled, while later patches close the gap for non-default configurations.
What this means
What could happen
An attacker could bypass authentication by submitting a specially crafted SAML assertion and gain unauthorized access to any Mendix application protected by the vulnerable SAML module. This could allow them to assume the identity of legitimate users and access sensitive operational data or functions.
Who's at risk
Organizations running Mendix applications (versions 7, 8, or 9) protected by the SAML authentication module should be concerned. This includes web applications and dashboards used for plant monitoring, process control data access, or engineering functions. Any organization where a Mendix app serves as the frontend to operational data or control systems is at risk.
How it could be exploited
An attacker sends a modified SAML authentication response to your Mendix application without valid credentials. The vulnerable SAML module fails to properly verify the assertion signature or encryption, accepting the forged assertion and granting access as if the attacker had authenticated legitimately.
Prerequisites
- Network access to the Mendix application's SAML endpoint
- Mendix application must be using the vulnerable SAML module with 'Use Encryption' disabled (or early patch versions)
- No valid user credentials required
Remotely exploitable over the networkNo authentication required to exploitLow complexity attackHigh CVSS score (9.1)Affects authentication bypass—all downstream systems that rely on this are exposedMultiple affected product versions
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (12)
12 with fix
ProductAffected VersionsFix Status
Mendix SAML (Mendix 7 compatible)≥ V1.16.4<V1.17.31.17.3
Mendix SAML (Mendix 7 compatible)≥ V1.17.3<V1.18.01.18.0
Mendix SAML (Mendix 8 compatible)≥ V2.2.0<V2.3.02.3.0
Mendix SAML (Mendix 8 compatible)≥ V2.3.0<V2.4.02.4.0
Mendix SAML (Mendix 9 latest compatible, New Track)≥ V3.1.9<V3.3.13.3.1
Mendix SAML (Mendix 9 latest compatible, New Track)≥ V3.3.1<V3.6.13.6.1
Mendix SAML (Mendix 9 latest compatible, Upgrade Track)≥ V3.1.8<V3.3.03.3.0
Mendix SAML (Mendix 9 latest compatible, Upgrade Track)≥ V3.3.0<V3.6.03.6.0
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDEnsure 'Use Encryption' setting is enabled (set to 'On') in SAML module configuration
HARDENINGRestrict network access to the Mendix application using firewall rules; do not expose to the Internet
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate Mendix SAML module: V1.17.3 or later (Mendix 7), V2.3.0 or later (Mendix 8), V3.3.0 or later (Mendix 9)
Long-term hardening
0/1HARDENINGIsolate Mendix application network from business networks and the Internet
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/abbe62dd-5342-4963-b428-9f04437a9f6e