HCSEC-2024-19 - Terraform Enterprise’s Single Sign-On And Ruby SAML’s CVE-2024-45409

Bulletin ID: HCSEC-2024-19
Affected Products / Versions: Terraform Enterprise up to v202408-1; fixed in v202409-1.
Publication Date: September 24, 2024

Summary
Terraform Enterprise’s single sign-on functionality is implemented using the Ruby SAML library, which disclosed an authentication bypass vulnerability exploitable by an XML signature wrapping attack. This vulnerability, CVE-2024-45409, was addressed by an upgrade of the Ruby SAML version used in Terraform Enterprise v202409-1.

Background
Terraform Enterprise provides single sign-on (SSO) functionality via optional SAML integration with an identity provider (configuration docs, tutorial).

Details
Terraform Enterprise’s SSO functionality is implemented using the open source Ruby SAML library which recently disclosed an authentication bypass vulnerability ( CVE-2024-45409).

HashiCorp’s internal testing, targeting an SSO-enabled Terraform Enterprise deployment, has not confirmed exploitability at this time. However, the version of the Ruby SAML library in use by Terraform Enterprise has been upgraded to a newer release in which the vulnerability has been addressed.

Remediation
Customers using Terraform Enterprise’s SSO feature should evaluate the risk associated with this issue and consider upgrading to Terraform Enterprise v202409-1 or newer. Please refer to Upgrade Terraform Enterprise for general guidance and Terraform Enterprise Releases for version-specific upgrade notes.

Customers who use Terraform Enterprise’s SSO but are unable to upgrade to v202409-1 or higher in the near future should consider enabling Terraform Enterprise’s integrated two-factor authentication functionality. If enabled prior to attack, this may reduce the impact of a SAML authentication bypass. Organization owners can require team members to enable two factor in their organization’s Settings page.

Customers on a Replicated deployment of Terraform Enterprise should refer to Migrate to non-Replicated runtime. To ensure you continue to receive the latest features and fixes, including security updates, please plan to migrate to a new deployment option by November 2024.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.