Lasso (Library Alliance Single Sign On), a C library that impacts Liberty Alliance and SAML has discovered high-severity vulnerability which affected the products from Akamai, Cisco, and Linux. The vulnerability labeled to be CVE-2021-28091 was detected in Akamai when it was impacting the Enterprise Application Access (EAA) product of the company.
Akamai also explained that there was an error that helped the attacker to act as the legit users which came into the existence when Lasso and products were used and got affected as well.
Akamai in their statement mentioned that the vulnerability enabled the impersonators who could access SAML response for an organization. They have genuine users that may have compromised on the end result.
Moreover, the issue was worsened when the attackers are required to obtain genuine IDs and authorization or have got their hands on the credentials. The effects are placed into four categories according to the impact they pose, allowing the network access of attackers, the application access of attacker, unauthenticated as well as authenticated, and alternate of any Lasso dependency.
The vulnerability also has an effect on the SOGo and PacketFence packages which was lately obtained by Akamai.
The team that has been appreciated for detecting the vulnerability is the Best Buy Enterprise Information Protection team and Sam Tinklenberg as they enlightened Akamai about the presence of a vulnerability in February 2021. Akamai provides the necessary technical information regarding the issue. The company observed that the same vulnerability which is called XML Signature Wrapping occurred and reported multiple times in the past couple of years. However, it has existed in Lasso codebase since 2005.