Security Scan (Veracode) - Flagging some features from ComponentPro.Saml.dll as Security Risks

Subject: Security Scan (Veracode) - Flagging some features from ComponentPro.Saml.dll as Security Risks Date: 2017-10-06 17:52:49 From: Adrian Cruz Source: security-scan-veracode-flagging-features-componentpro-saml-dll-security-risks ----------------------------------------------------------------------

Hi,

A few months we implemented a SSO solution using ComponentPro.Saml to create a response from the request of our consumer and to do the proper validation against the response. However, in our security scann (static scan) of the application that uses this SSO implementation we got a handfull of High Level Security Risks related to ComponentPro.Saml.dll. The security risks are as follow:

CWE-327: Use of a Broken or Risky Cryptographic Algorithm - ComponentPro.Saml.dll is using System.Security.Cryptography.MD5.Create() function, which uses a hash algorithm that is considered weak.
CWE-327: Use of a Broken or Risky Cryptographic Algorithm - ComponentPro.Saml.dll is using System.Security.Cryptography.SHA1CryptoServiceProvider.!newinit_0_0() function, which uses a hash algorithm that is considered weak.
CWE-327: Use of a Broken or Risky Cryptographic Algorithm - ComponentPro.Saml.dll is using System.Security.Cryptography.TripleDES.Create', which uses a known risky cryptographic algorithm.
CWE-326: Inadequate Encryption Strength - ComponentPro.Saml.dll is using System.Security.Cryptography.SymmetricAlgorithm.set_KeySize. The key size specified for this algorithm is not large enough to protect it from brute force attacks. We get this error three times, one per CWE-327
CWE-611: Improper Restriction of XML External Entity Reference ('XXE') - ComponentPro.Saml.dll is using System.Xml.XmlDocument.LoadXml() function to parse an XML document. By default, the default XML entity resolver will attempt to resolve and retrieve external references. If attacker-controlled XML can be submitted to one of these functions, then the attacker could gain access to information about an internal network, local filesystem, or other sensitive data. This is known as an XML eXternal Entity (XXE) attack.

We would like to know the following:

Are there ways to turn these Risky Cryptographic functionalities OFF (disable them) from our code?
**** If there are ways to turn these functionalities OFF, how can we accomplish this? Is there any documentation that we can follow?
What XML parser is ComponentPro.Saml.dll using?
**** Does the XML parser that ComponentPro.Saml.dll use, try to resolve external references that might be included in the original XML file?
******** If Yes, how can we tell the parser to NOT resolve these external references?
**** Is there a way to make the ComponentPro.Saml.dll use a different XML parser?

Thank You,

Adrian Cruz

---------------------------------------------------------------------- Note: This question has been asked on the Q&A forum of Thang Dang's fraudulent ComponentPro brand If you purchased anything from ComponentPro, you have been scammed. Contact the payment processor who sold you the license and ask for your money back. Back to ComponentPro Q&A Forum Index