ESB-2021.2218

Operating System:
[WIN]
Published:
23 June 2021
Protect yourself against future threats.
//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations
Resources > Security Bulletins > ESB-2021.2218
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.2218
        hibboleth Service Provider Security Advisory [22 June 2021]
                               23 June 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Shibboleth
Publisher:         Shibboleth
Operating System:  Windows
Impact/Access:     Provide Misleading Information -- Unknown/Unspecified
                   Unauthorised Access            -- Unknown/Unspecified
                   Reduced Security               -- Unknown/Unspecified
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://shibboleth.net/community/advisories/secadv_20210622.txt

- --------------------------BEGIN INCLUDED TEXT--------------------

 -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Shibboleth Service Provider Security Advisory [22 June 2021]

An updated version of the Service Provider software is now
available which corrects a critical header smuggling/spoofing
vulnerability on Windows when using IIS.

Header smuggling allows for impersonation under IIS 7+
======================================================================
The Service Provider module for Microsoft's IIS 7 and above includes
support for both header-based and server variable-based export of user
attribute data into the application environment.

Unfortunately the server variable support was implemented incorrectly,
and is vulnerable to header smuggling or spoofing attacks. The usual
logic that attempts to detect and block this is not active when the
<ISAPI> element's useHeaders option is unset or false in the SP
configuration, which is the default for new installs.

Under these conditions, an attacker can easily supply values that the
SP will append its own data to when it exports attribute information
into the environment and the application will see both the fake and
the legitimate values, allowing for subversion of access control
rules and potentially impersonation of users.

This issue does not impact the use of Apache or any other non-IIS
environment, and does not impact the older, deprecated IIS filter,
which only supported headers and does not honor the options involved.


Recommendations
===============
Update to V3.2.2.2 or later of the Service Provider software, which
is now available. This a Windows-only update to the V3.2.2 release
containing the fixed IIS module.

In cases where this is not immediately possible, adding
useHeaders="true" to the <ISAPI> element in shibboleth2.xml will
enable the usual header detection code that attempts to prevent
header smuggling. In most cases, this should not impact applications
that are accessing data via server variables.

This workaround is only possible after having updated the core
configuration to the V3 XML namespace.

Example:
<ISAPI useHeaders="true" useVariables="true">

Note that while systems using the older filter are not affected,
that filter is deprecated, and all deployers should upgrade to ensure
that if a future change enables the newer module that the system does
not remain vulnerable.

Credits
=======
Thanks to Klintra/Faroese Telecom for discovering and reporting this
vulnerability.


URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20210622.txt

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmDR2MYACgkQN4uEVAIn
eWLg9A//cG4Hc0GyvAlK8kFABHAtSlY4R7FlBqX96tmxsV0raSLR+ARaZdVgD0K7
RtllZBk2VErw/iommmq1OsOfpKHcTxpT7pPlaMlDYpYACRwPKJi1cCOeQHxVzU3q
F87xJiP1u4ajuqSD6277YWRjtjg19R56Clc++N4s882Mva0ztVz6sGgws9xVak0D
VZ9MdRj6nxmY3b6tRUqpTCe5dPYlu7o8CRzA0xqQ2omQQnqg9EMnX5jK+79Yqyhp
nSXDnRPy4X7hu73Pwg3mPeaylWydNDevkBxM6An8xBSmpTeWWPbCbXYXO0dnSJIa
BdMB6RF1nKRXrttVoX5a4ur9Tagw1mcPgffNzXp5dsfVw/kCvy4vkSNC8LnhIVwE
9e/aZtwX5rpXmOzGB2LrA3eQYZ27pRQbE2/vq956P9G633mUJUHP0yKgiP6mWzPY
nS0rsS95Yw00mKQMfikdku+glW4/047dWbpJAs7+8NpiWhqo+kOaBHGr0ZrYDtKe
ANJ72DPM1hUhukKhQm8en1uExmdvsx43r7R3CMA48Ib0feciKsyWdExZX2p/zKdi
rPZKwugwKEh3Ua/DKcWuSVWFUB0GlnNfICyai6g2iRzH2sbREr7Mxsh27Fhtd9eo
gEvbbdJNNuM4Yv/LzjK6L1Q+66OmZza9u3shlwghJU1u/Z3N3eQ=
=ywKY
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYNK+CeNLKJtyKPYoAQjgXQ//VPTNz1dTcnDd128qBxq9n64JNrnD0AL0
JQdAAgH9dpWjh0qYYHrEPTRMCq8FaX6RxqlDZTzxrE64c6qvgeepcFnOHduLX5sc
lBTbvZNHYtaaFQCWIa5r+5IG5EmVaS5Shg5sFs2HWoP+jqNq8mcqsOysbkGDnvmF
GrDkkKr5TLCbTqswEDll3cQwKVZXiP7gky6pbxdKqjMigcO9NgPu19Vv6vStUOY9
vr7w9llGQfhzg7qfzZMT2trS3kTB1WFMhRfh9QHqDt/Ny7fzLUejN8d4aQ8tu8u1
EB8ejfn9enbZcrd5gTcIXFjiujWUop1xHY092vbQGjPBBMShudZtAPS+CdECqpdX
nYcDjZ4X+IaBqNG7iKpCUjpYoMeS3DGvDndLFR+ABVuuZ5BH8RSwLZyGpEwEcpHV
MxE1GBrH/iAIe8y0e4PFLn/i6YfAciS9I43gda0mXazYHZ5TnWZChG/jBaiVwBbE
2vRy7MBHWBF4fE/SdzGQBa/7tpSuoiy9EhGcmRkFPLDDpS943kkZPdCIMtVExLkX
vrxs7p9fVmBGWaY8TpBWWL7DXbPJbOnyhyNTidUdUap43k+XVXaaFesFJCa7+jjd
RlKzw5+H2vwLJFOcuiWr64YT0Gx1tnY5eNI/9QW/xBrSjN3m/PfFZ1W4Rb8tYK+K
3HoDBETXYd8=
=WhaS
-----END PGP SIGNATURE-----