Authentication Bypass Vulnerability in Mendix SAML Module
Plan Patch7.4SSA-638652Sep 13, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
The Mendix SAML module is vulnerable to packet capture replay attacks that allow an attacker to reuse captured authentication tokens to bypass SAML authentication and gain unauthorized access to the application. This affects Mendix 7, 8, and 9 compatible versions of the module. The vulnerability occurs because the module insufficiently protects authentication messages from replay. A second vulnerability exists when the non-default configuration option "Allow IdP Initiated Authentication" is enabled, which is not removed until applying the second fix version for each release track.
What this means
What could happen
An attacker who captures SAML authentication traffic could replay it to bypass authentication and log into the Mendix application without valid credentials. This would grant access to application functions and potentially to any connected industrial systems or data sources that the application manages.
Who's at risk
Organizations running Mendix applications that use the SAML module for authentication. This is relevant for utilities and municipalities using Mendix-based applications for SCADA integration, asset management, or supervisory systems that rely on centralized identity management.
How it could be exploited
An attacker on the network path between the user and the identity provider (or application) captures a valid SAML authentication response. The attacker then replays this captured response to the Mendix application to authenticate as the original user without needing a password or valid credentials. If "Allow IdP Initiated Authentication" is enabled, the attacker could also initiate authentication directly without even needing to capture a valid response first.
Prerequisites
- Network access to capture traffic between the user/IdP and the Mendix application (man-in-the-middle position or packet sniffer on the network)
- A valid SAML authentication response (either captured in transit or initiated by the attacker if IdP-initiated auth is enabled)
- The Mendix application must be using a vulnerable version of the SAML module
remotely exploitableno authentication required (once token is captured)low complexity attack (packet replay)affects authentication system
Exploitability
Low exploit probability (EPSS 0.9%)
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
Mendix SAML (Mendix 7 compatible)< V1.17.01.17.0
Mendix SAML (Mendix 7 compatible)≥ V1.17.0 < V1.17.21.17.2
Mendix SAML (Mendix 8 compatible)< V2.3.02.3.0
Mendix SAML (Mendix 8 compatible)≥ V2.3.0 < V2.3.22.3.2
Mendix SAML (Mendix 9 compatible, New Track)< V3.3.13.3.1
Mendix SAML (Mendix 9 compatible, New Track)≥ V3.3.1 < V3.3.53.3.5
Mendix SAML (Mendix 9 compatible, Upgrade Track)< V3.3.03.3.0
Mendix SAML (Mendix 9 compatible, Upgrade Track)≥ V3.3.0 < V3.3.43.3.4
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDIf updating is not immediately possible, disable the 'Allow IdP Initiated Authentication' configuration option until patched
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
Mendix SAML (Mendix 7 compatible)
HOTFIXUpdate Mendix SAML module to 1.17.0 or later (for Mendix 7 compatible)
Mendix SAML (Mendix 8 compatible)
HOTFIXUpdate Mendix SAML module to 2.3.0 or later (for Mendix 8 compatible)
Mendix SAML (Mendix 9 compatible, Upgrade Track)
HOTFIXUpdate Mendix SAML module to 3.3.0 or later (for Mendix 9 compatible, Upgrade Track)
Mendix SAML (Mendix 9 compatible, New Track)
HOTFIXUpdate Mendix SAML module to 3.3.1 or later (for Mendix 9 compatible, New Track)
All products
HOTFIXApply second fix versions (1.17.2, 2.3.2, 3.3.4, or 3.3.5 depending on track) if 'Allow IdP Initiated Authentication' is enabled in your configuration
Long-term hardening
0/1HARDENINGImplement network segmentation and monitor for suspicious authentication patterns or packet replay indicators
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4a3f21c0-4fff-49d4-a01b-bfae238e768c