HCSEC-2024-19 - Terraform Enterprise’s Single Sign-On And Ruby SAML’s CVE-2024-45409

Bulletin ID: HCSEC-2024-19
Affected Products / Versions: Terraform Enterprise up to v202408-1; fixed in v202409-1.
Publication Date: September 24, 2024

Summary
Terraform Enterprise’s single sign-on functionality is implemented using the Ruby SAML library, which disclosed an authentication bypass vulnerability exploitable by an XML signature wrapping attack. This vulnerability, CVE-2024-45409, was addressed by an upgrade of the Ruby SAML version used in Terraform Enterprise v202409-1.

Background
Terraform Enterprise provides single sign-on (SSO) functionality via optional SAML integration with an identity provider (configuration docs, tutorial).

Details
Terraform Enterprise’s SSO functionality is implemented using the open source Ruby SAML library which recently disclosed an authentication bypass vulnerability ( CVE-2024-45409).

HashiCorp’s internal testing, targeting an SSO-enabled Terraform Enterprise deployment, has not confirmed exploitability at this time. However, the version of the Ruby SAML library in use by Terraform Enterprise has been upgraded to a newer release in which the vulnerability has been addressed.

Remediation
Customers using Terraform Enterprise’s SSO feature should evaluate the risk associated with this issue and consider upgrading to Terraform Enterprise v202409-1 or newer. Please refer to Upgrade Terraform Enterprise for general guidance and Terraform Enterprise Releases for version-specific upgrade notes.

Customers who use Terraform Enterprise’s SSO but are unable to upgrade to v202409-1 or higher in the near future should consider enabling Terraform Enterprise’s integrated two-factor authentication functionality. If enabled prior to attack, this may reduce the impact of a SAML authentication bypass. Organization owners can require team members to enable two factor in their organization’s Settings page.

Customers on a Replicated deployment of Terraform Enterprise should refer to Migrate to non-Replicated runtime. To ensure you continue to receive the latest features and fixes, including security updates, please plan to migrate to a new deployment option by November 2024.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.

Confirmation of Exposure

The internal testing referenced in this bulletin was recently successful in confirming the exposure of Terraform Enterprise’s SSO feature to the Ruby SAML vulnerability, CVE-2024-45409. This vulnerability allows attackers to bypass authentication controls within an SSO-enabled Terraform Enterprise deployment.

Likelihood of exploitation for SSO-enabled Terraform Enterprise deployments will be dependent upon deployment architecture, with Internet-facing deployments potentially more prone to attack than internal-facing or air-gapped deployments.

Exploitation of a network-accessible system is not straightforward, as some amount of internal and deployment-specific knowledge is required to craft the attack.

Remediation Update

Enabling Terraform Enterprise’s two-factor authentication functionality should no longer be considered a possible mitigation.

Customers who use Terraform Enterprise’s SSO should prioritize an upgrade to Terraform Enterprise v202409-3 or newer (v202410-1 is scheduled for release in late October). Please refer to Upgrade Terraform Enterprise for general guidance and Terraform Enterprise Releases for version-specific upgrade notes.

Customers who use Terraform Enterprise’s SSO but are unable to upgrade to v202409-3 or newer in the near future should consider:

• Ensuring that Terraform Enterprise deployment/s are accessible only from trusted network locations.
• Monitoring Terraform Enterprise deployments for indicators of compromise as noted below.
• Temporarily disabling Terraform Enterprise’s SSO feature until upgrade can be completed.

Customers on a Replicated deployment of Terraform Enterprise should refer to Migrate to non-Replicated runtime. To ensure you continue to receive the latest features and fixes, including security updates, please plan to migrate to a new deployment option by November 2024.

Indicators of Compromise

For general information about Terraform Enterprise logging, please see Monitor Terraform Enterprise. Logs for Terraform Enterprise’s atlas service (/var/log/terraform-enterprise/atlas.log) may contain indicators of unsuccessful attempts and / or successful exploitation.

Note that the log events referenced below may be generated as result of legitimate operations done by legitimate users. A single log event may not be a high fidelity indicator, but a combination of these may warrant further investigation.

Unsuccessful attempts at exploitation will likely result in exceptions being logged. Two specific log events that may indicate attempted exploitation are:

• Lines containing OneLogin::RubySaml::ValidationError with a message attribute such as Issuer of the Assertion not found or multiple.
• Lines containing Exceptions::Saml::ConfigurationError with details indicating invalid or incomplete SAML Responses.

Successful exploitation may result in the creation of a new user, update of an existing user, or granting of administrator access to an existing user. Log entries associated with these events will have [Audit Log] lines mapping to the user resource ("resource":"user") and containing matching actions, such as "action": "create", "action": "update", and "action": "grant_admin".

Post-exploitation activity may also have log entries recording the use of the impersonation feature to assume the identity of a legitimate user, deletion of a newly created user, disabling user MFA, and similar tactics.