Mend.io cross-tenant access via vulnerable SAML implementation
Mend.io is a company that offers a variety of application security solutions to organizations via its online platform. Many organizations use it to monitor code libraries used in their software for vulnerabilities.
The security assertion markup language (SAML) implementation used by Mend.io in its application security platform could allow a Mend.io customer, acting as an attacker, to access the data of a subset of other customers simply by guessing a valid email address.
SAML is a type of single sign-on (SSO) authentication that allows a user to access multiple applications with a single set of credentials. Rather than storing login credentials directly, it works by using a specialized identity provider to authenticate users trying to access an online service. This offers numerous benefits for both software-as-a-service (SaaS) providers and end users.
In this case, however, Mend.io’s SAML login was not scoped to specific customer tenants, which allowed unauthorized access to any other customer tenant.
Mend.io customers could access the data of other customers in the same SaaS environment by guessing or otherwise obtaining a valid email address. An attacker able to open an account with Mend.io could therefore use this vulnerability to obtain information on vulnerabilities contained in Mend.io customers’ software for further use (for example, targeted attacks).
No active exploitation of this vulnerability has been observed by either Mend.io or WithSecure.
WithSecure contacted Mend.io immediately after discovering the vulnerability. Following Mend.io’s acknowledgement of the issue, the two companies worked together to remediate the problem in Mend.io’s platform. An additional layer of security to prevent cross-account/organization collaboration was implemented into the platform. End users can request Mend.io to remove this additional layer in the event they require access to data stored in different accounts.
The remediation was implemented directly into the platform, meaning no user action is required in order to fix the problem. However, WithSecure does recommend Mend.io customers review any relevant logs for signs of abuse.