Subject: Security Scan (Veracode) - Flagging some features from ComponentPro.Saml.dll as Security Risks
Date: 2017-10-06 17:52:49
From: Adrian Cruz
Source: security-scan-veracode-flagging-features-componentpro-saml-dll-security-risks
----------------------------------------------------------------------

Hi,
 
A few months we implemented a SSO solution using ComponentPro.Saml to create a response from the request of our consumer and to do the proper validation against the response. However, in our security scann (static scan) of the application that uses this SSO implementation we got a handfull of High Level Security Risks related to ComponentPro.Saml.dll. The security risks are as follow: 
 
  1. CWE-327: Use of a Broken or Risky Cryptographic Algorithm  -  ComponentPro.Saml.dll is using System.Security.Cryptography.MD5.Create() function, which uses a hash algorithm that is considered weak. 
  2. CWE-327: Use of a Broken or Risky Cryptographic Algorithm - ComponentPro.Saml.dll is using System.Security.Cryptography.SHA1CryptoServiceProvider.!newinit_0_0() function, which uses a hash algorithm that is considered weak.
  3. CWE-327: Use of a Broken or Risky Cryptographic Algorithm - ComponentPro.Saml.dll is using System.Security.Cryptography.TripleDES.Create', which uses a known risky cryptographic algorithm.
  4. CWE-326: Inadequate Encryption Strength -  ComponentPro.Saml.dll is using System.Security.Cryptography.SymmetricAlgorithm.set_KeySize. The key size specified for this algorithm is not large enough to protect it from brute force attacks. We get this error three times, one per CWE-327
  5. CWE-611: Improper Restriction of XML External Entity Reference ('XXE') - ComponentPro.Saml.dll is using System.Xml.XmlDocument.LoadXml() function to parse an XML document. By default, the default XML entity resolver will attempt to resolve and retrieve external references. If attacker-controlled XML can be submitted to one of these functions, then the attacker could gain access to information about an internal network, local filesystem, or other sensitive data. This is known as an XML eXternal Entity (XXE) attack.
 
We would like to know the following:
Thank You,
 
Adrian Cruz
---------------------------------------------------------------------- Note: This question has been asked on the Q&A forum of Thang Dang's fraudulent ComponentPro brand If you purchased anything from ComponentPro, you have been scammed. Contact the payment processor who sold you the license and ask for your money back. Back to ComponentPro Q&A Forum Index