CVE-2018-3822

Vulnerability

X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack due to incorrect XML canonicalization and DOM traversal in SAML processing. The vulnerability requires that the SAML Identity Provider (IdP) allows self-registration with arbitrary identifiers and that an attacker can register an account with an identifier that shares a suffix with a legitimate user's identifier [1].

Exploitation

An attacker must have the ability to register a new account with the SAML IdP using an arbitrary identifier. The attacker then registers an identifier that shares a suffix with a target legitimate user's identifier. By exploiting the XML canonicalization and DOM traversal flaw, the attacker can craft a SAML assertion that causes X-Pack Security to misinterpret the user identity, effectively impersonating the legitimate user [1].

Impact

Successful exploitation allows an attacker to impersonate a legitimate user, gaining all the privileges and access rights associated with that user's account within the Elastic Stack. This can lead to unauthorized data access, modification, or other actions depending on the user's permissions [1].

Mitigation

Users should upgrade to Elasticsearch version 6.2.3, which contains the fix for this vulnerability. No workarounds are available; upgrading is the only mitigation [1].