CVE-2024-41107
Published: 19 July 2024
Summary
CVE-2024-41107 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Apache Cloudstack. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability affects Apache CloudStack's SAML authentication plugin, which is disabled by default. When enabled, the plugin fails to enforce signature validation on SAML responses, allowing spoofed assertions to be accepted without cryptographic verification (CWE-290). This impacts any CloudStack deployment that has explicitly enabled SAML single sign-on for user authentication.
An attacker who can reach the CloudStack SAML endpoint can initiate an authentication flow and submit a crafted, unsigned SAML response containing a guessed or known username and associated attributes. Successful exploitation grants the attacker a valid session for the targeted account, resulting in full access to all resources and privileges associated with that SAML-enabled user. The attack requires no prior credentials and is rated CVSS 8.1 due to its network-accessible nature and high impact.
Advisories from the Apache CloudStack project and related oss-security postings recommend immediately setting the global configuration parameter "saml2.enabled" to false if SAML is not required, or upgrading to CloudStack 4.18.2.2, 4.19.1.0, or later releases that restore proper signature checking. The referenced GitHub issue and mailing-list threads contain the coordinated disclosure details and patch information.
The EPSS score has remained consistently high (current 0.92, peak 0.93) since publication, indicating sustained exploitation interest without evidence of a sharp post-disclosure climb from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-38929
Vulnerability details
The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with…
more
no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account. In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account. Affected users are recommended to disable the SAML authentication plugin by setting the "saml2.enabled" global setting to "false", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Reveals spoofed logon attempts through unexpected previous logon timestamps upon legitimate login.
Training specifically addresses recognizing spoofed communications and phishing that enable authentication bypass.
Requiring verifiable identity evidence at appropriate assurance levels makes it substantially harder for attackers to successfully spoof or impersonate users to obtain accounts.
Unique device authentication makes successful spoofing of device identity substantially more difficult to achieve.
Unique identification of non-organizational users reduces the feasibility of authentication bypass by spoofing.
Unique identification and authentication of services before communications makes spoofing of service identities substantially harder.
Isolated trusted path ensures the user interacts only with genuine system components, preventing spoofing of authentication interfaces or prompts.
Directly counters DNS response spoofing by requiring cryptographic origin authentication artifacts from the authoritative source.