Siemens Mendix SAML Module

Plan PatchCVSS 9.1ICS-CERT ICSA-23-075-05Mar 14, 2023

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Mendix SAML module insufficiently verifies SAML assertions, allowing unauthenticated remote attackers to forge SAML responses and bypass authentication to gain unauthorized access to the application. The vulnerability exists in the assertion validation logic and is more severe when the 'Use Encryption' configuration option is disabled. Two rounds of fixes address different aspects: earlier patches address the vulnerability only when encryption is enabled, while later patches close the gap for non-default configurations.

What this means

What could happen

An attacker could bypass authentication by submitting a specially crafted SAML assertion and gain unauthorized access to any Mendix application protected by the vulnerable SAML module. This could allow them to assume the identity of legitimate users and access sensitive operational data or functions.

Who's at risk

Organizations running Mendix applications (versions 7, 8, or 9) protected by the SAML authentication module should be concerned. This includes web applications and dashboards used for plant monitoring, process control data access, or engineering functions. Any organization where a Mendix app serves as the frontend to operational data or control systems is at risk.

How it could be exploited

An attacker sends a modified SAML authentication response to your Mendix application without valid credentials. The vulnerable SAML module fails to properly verify the assertion signature or encryption, accepting the forged assertion and granting access as if the attacker had authenticated legitimately.

Prerequisites

Network access to the Mendix application's SAML endpoint
Mendix application must be using the vulnerable SAML module with 'Use Encryption' disabled (or early patch versions)
No valid user credentials required

Remotely exploitable over the networkNo authentication required to exploitLow complexity attackHigh CVSS score (9.1)Affects authentication bypass—all downstream systems that rely on this are exposedMultiple affected product versions

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (12)

12 with fix

ProductAffected VersionsFix Status

Mendix SAML (Mendix 7 compatible)≥ V1.16.4<V1.17.31.17.3

Mendix SAML (Mendix 7 compatible)≥ V1.17.3<V1.18.01.18.0

Mendix SAML (Mendix 8 compatible)≥ V2.2.0<V2.3.02.3.0

Mendix SAML (Mendix 8 compatible)≥ V2.3.0<V2.4.02.4.0

Mendix SAML (Mendix 9 latest compatible, New Track)≥ V3.1.9<V3.3.13.3.1

Mendix SAML (Mendix 9 latest compatible, New Track)≥ V3.3.1<V3.6.13.6.1

Mendix SAML (Mendix 9 latest compatible, Upgrade Track)≥ V3.1.8<V3.3.03.3.0

Mendix SAML (Mendix 9 latest compatible, Upgrade Track)≥ V3.3.0<V3.6.03.6.0

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDEnsure 'Use Encryption' setting is enabled (set to 'On') in SAML module configuration

HARDENINGRestrict network access to the Mendix application using firewall rules; do not expose to the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix SAML module: V1.17.3 or later (Mendix 7), V2.3.0 or later (Mendix 8), V3.3.0 or later (Mendix 9)

Long-term hardening

0/1

HARDENINGIsolate Mendix application network from business networks and the Internet

CVEs (2)

CVE-2023-25957 CVE-2023-29129

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/abbe62dd-5342-4963-b428-9f04437a9f6e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.