Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2218 hibboleth Service Provider Security Advisory [22 June 2021] 23 June 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Shibboleth Publisher: Shibboleth Operating System: Windows Impact/Access: Provide Misleading Information -- Unknown/Unspecified Unauthorised Access -- Unknown/Unspecified Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade Original Bulletin: https://shibboleth.net/community/advisories/secadv_20210622.txt - --------------------------BEGIN INCLUDED TEXT-------------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [22 June 2021] An updated version of the Service Provider software is now available which corrects a critical header smuggling/spoofing vulnerability on Windows when using IIS. Header smuggling allows for impersonation under IIS 7+ ====================================================================== The Service Provider module for Microsoft's IIS 7 and above includes support for both header-based and server variable-based export of user attribute data into the application environment. Unfortunately the server variable support was implemented incorrectly, and is vulnerable to header smuggling or spoofing attacks. The usual logic that attempts to detect and block this is not active when the <ISAPI> element's useHeaders option is unset or false in the SP configuration, which is the default for new installs. Under these conditions, an attacker can easily supply values that the SP will append its own data to when it exports attribute information into the environment and the application will see both the fake and the legitimate values, allowing for subversion of access control rules and potentially impersonation of users. This issue does not impact the use of Apache or any other non-IIS environment, and does not impact the older, deprecated IIS filter, which only supported headers and does not honor the options involved. Recommendations =============== Update to V3.2.2.2 or later of the Service Provider software, which is now available. This a Windows-only update to the V3.2.2 release containing the fixed IIS module. In cases where this is not immediately possible, adding useHeaders="true" to the <ISAPI> element in shibboleth2.xml will enable the usual header detection code that attempts to prevent header smuggling. In most cases, this should not impact applications that are accessing data via server variables. This workaround is only possible after having updated the core configuration to the V3 XML namespace. Example: <ISAPI useHeaders="true" useVariables="true"> Note that while systems using the older filter are not affected, that filter is deprecated, and all deployers should upgrade to ensure that if a future change enables the newer module that the system does not remain vulnerable. Credits ======= Thanks to Klintra/Faroese Telecom for discovering and reporting this vulnerability. URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20210622.txt - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmDR2MYACgkQN4uEVAIn eWLg9A//cG4Hc0GyvAlK8kFABHAtSlY4R7FlBqX96tmxsV0raSLR+ARaZdVgD0K7 RtllZBk2VErw/iommmq1OsOfpKHcTxpT7pPlaMlDYpYACRwPKJi1cCOeQHxVzU3q F87xJiP1u4ajuqSD6277YWRjtjg19R56Clc++N4s882Mva0ztVz6sGgws9xVak0D VZ9MdRj6nxmY3b6tRUqpTCe5dPYlu7o8CRzA0xqQ2omQQnqg9EMnX5jK+79Yqyhp nSXDnRPy4X7hu73Pwg3mPeaylWydNDevkBxM6An8xBSmpTeWWPbCbXYXO0dnSJIa BdMB6RF1nKRXrttVoX5a4ur9Tagw1mcPgffNzXp5dsfVw/kCvy4vkSNC8LnhIVwE 9e/aZtwX5rpXmOzGB2LrA3eQYZ27pRQbE2/vq956P9G633mUJUHP0yKgiP6mWzPY nS0rsS95Yw00mKQMfikdku+glW4/047dWbpJAs7+8NpiWhqo+kOaBHGr0ZrYDtKe ANJ72DPM1hUhukKhQm8en1uExmdvsx43r7R3CMA48Ib0feciKsyWdExZX2p/zKdi rPZKwugwKEh3Ua/DKcWuSVWFUB0GlnNfICyai6g2iRzH2sbREr7Mxsh27Fhtd9eo gEvbbdJNNuM4Yv/LzjK6L1Q+66OmZza9u3shlwghJU1u/Z3N3eQ= =ywKY - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYNK+CeNLKJtyKPYoAQjgXQ//VPTNz1dTcnDd128qBxq9n64JNrnD0AL0 JQdAAgH9dpWjh0qYYHrEPTRMCq8FaX6RxqlDZTzxrE64c6qvgeepcFnOHduLX5sc lBTbvZNHYtaaFQCWIa5r+5IG5EmVaS5Shg5sFs2HWoP+jqNq8mcqsOysbkGDnvmF GrDkkKr5TLCbTqswEDll3cQwKVZXiP7gky6pbxdKqjMigcO9NgPu19Vv6vStUOY9 vr7w9llGQfhzg7qfzZMT2trS3kTB1WFMhRfh9QHqDt/Ny7fzLUejN8d4aQ8tu8u1 EB8ejfn9enbZcrd5gTcIXFjiujWUop1xHY092vbQGjPBBMShudZtAPS+CdECqpdX nYcDjZ4X+IaBqNG7iKpCUjpYoMeS3DGvDndLFR+ABVuuZ5BH8RSwLZyGpEwEcpHV MxE1GBrH/iAIe8y0e4PFLn/i6YfAciS9I43gda0mXazYHZ5TnWZChG/jBaiVwBbE 2vRy7MBHWBF4fE/SdzGQBa/7tpSuoiy9EhGcmRkFPLDDpS943kkZPdCIMtVExLkX vrxs7p9fVmBGWaY8TpBWWL7DXbPJbOnyhyNTidUdUap43k+XVXaaFesFJCa7+jjd RlKzw5+H2vwLJFOcuiWr64YT0Gx1tnY5eNI/9QW/xBrSjN3m/PfFZ1W4Rb8tYK+K 3HoDBETXYd8= =WhaS -----END PGP SIGNATURE-----