Problem
Terraform Enterprise's single sign-on (SSO) functionality, implemented via the Ruby SAML library, is affected by an authentication bypass vulnerability, CVE-2024-45409.
Cause
The Ruby SAML library, used for SAML integration with identity providers, disclosed a vulnerability that could be exploited by an XML signature wrapping attack. While HashiCorp’s internal testing has not confirmed exploitability on an SSO-enabled Terraform Enterprise deployment, the library version has been upgraded in Terraform Enterprise release v202409-1 and newer to address the vulnerability.
Solutions
You should evaluate the risk associated with this issue and choose one of the following remediation paths.
Solution 1: Upgrade Terraform Enterprise
The primary solution is to upgrade to Terraform Enterprise v202409-1 or a newer version. This release includes an updated version of the Ruby SAML library where the vulnerability has been addressed.
For upgrade instructions, refer to the official documentation for general guidance on how to Upgrade Terraform Enterprise and review the version-specific notes in the Terraform Enterprise Releases.
Solution 2: Enable Two-Factor Authentication as a Mitigation
If you use Terraform Enterprise’s SSO feature but cannot upgrade immediately, you should enable the integrated two-factor authentication (2FA) functionality. When enabled prior to an attack, 2FA may reduce the impact of a SAML authentication bypass.
Organization owners can require team members to enable two-factor authentication in their organization’s Settings page.
Additional Information
For more details, please refer to the official security bulletin: HCSEC-2024-19 - Terraform Enterprise’s Single Sign-On And Ruby SAML’s CVE-2024-45409.