Impact
If an attacker gains knowledge of certain details of SAML IdP metadata of a team and is able to configure SAML SSO for its own team on the same backend, then the attacker can:
- Delete all SAML authenticated accounts of the attacked team
- Authenticate as user from existing accounts from the attacked team (only if the account authenticates via SAML)
- Create arbitrary accounts in the context of the team (only if the attacked team is not managed by SCIM)
Patches
- The issue is fixed in wire-server 2022-07-12 and is already deployed on all Wire managed services.
- On-premise instances of wire-server need to be updated to 2022-07-12/Chart 4.19.0, so that their backends are no longer affected.
Workarounds
The risk of an attack can be reduced by disabling SAML configuration for teams (galley.config.settings.featureFlags.sso).
Helm overrides are located in values/wire-server/values.yaml
Note
The ability to configure SAML SSO as a team is disabled by default for on-premise installations.
For more information
If you have any questions or comments about this advisory feel free to email us at vulnerability-report@wire.com
Impact
If an attacker gains knowledge of certain details of SAML IdP metadata of a team and is able to configure SAML SSO for its own team on the same backend, then the attacker can:
Patches
Workarounds
The risk of an attack can be reduced by disabling SAML configuration for teams (
galley.config.settings.featureFlags.sso).Helm overrides are located in
values/wire-server/values.yamlFor more information
If you have any questions or comments about this advisory feel free to email us at vulnerability-report@wire.com