ESB-2017.2921 - [Win][UNIX/Linux] Shibboleth Service Provider: Reduced security - Existing account 2017-11-16

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2921
     Shibboleth Service Provider Security Advisory [15 November 2017]
                             16 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Shibboleth Service Provider
Publisher:         shibboleth
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Reduced Security -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://shibboleth.net/community/advisories/secadv_20171115.txt

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Service Provider Security Advisory [15 November 2017]

An updated version of the Shibboleth Service Provider software
is available which corrects a critical security issue in the
"Dynamic" metadata provider plugin.

Deployers making use of the affected feature should apply the
relevant update at the soonest possible moment.

Dynamic MetadataProvider fails to install security filters
============================================================
The Shibboleth Service Provider software includes a MetadataProvider
plugin with the plugin type "Dynamic" to obtain metadata on demand
from a query server, in place of the more typical mode of downloading
aggregates separately containing all of the metadata to load.

All the plugin types rely on MetadataFilter plugins to perform critical
security checks such as signature verification, enforcement of validity
periods, and other checks specific to deployments.

Due to a coding error, the "Dynamic" plugin fails to configure itself
with the filters provided to it and thus omits whatever checks they are
intended to perform, which will typically leave deployments vulnerable
to active attacks involving the substitution of metadata if the network
path to the query service is compromised.

Affected Systems
==================
All versions of the Service Provider software prior to V2.6.1 contain
this vulnerability.

There are no known mitigations to prevent this attack apart from
applying this update. Deployers should take immediate steps, and
may wish to disable the use of this feature until the upgrade is done.

Service Provider Deployer Recommendations
===========================================
Upgrade to V2.6.1 or later of the Service Provider and restart the
shibd service/daemon.

Sites relying on official RPM packages or Macports can update via the
yum and port commands respectively.

For those using platforms unsupported by the project team directly,
refer to your vendor or package source directly for information on
obtaining the fixed version. If the update from your vendor lags,
you may consider building from source for your own use as an interim
step.

The patch commit that corrects this issue can be found at [1].

Additional Recommendations for Federation Operators
=====================================================
Operators of metadata query services in support of this feature may
wish to consider implementing security checks after a suitable upgrade
window has elapsed to prevent use of affected versions or follow up
with deployers. The User Agent string in requests to the service
will contain the version of the software.

Note Regarding OpenSAML Library
=================================
An identical issue exists in the DynamicMetadataProvider class in
the OpenSAML-C library in all versions prior to V2.6.1. Applications
making direct use of this library must be independently updated to
correct this vulnerability, but this fix does not correct the issue
with respect to the use of the Shibboleth SP.

The patch commit that corrects the OpenSAML issue can be found at [2].

Credits
=========
Rod Widdowson, Steading System Software LLP

[1] https://git.shibboleth.net/view/?p=cpp-sp.git;a=commit;
h=b66cceb0e992c351ad5e2c665229ede82f261b16

[2] https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;
h=6182b0acf2df670e75423c2ed7afe6950ef11c9d

URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20171115.txt

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAloMn08ACgkQN4uEVAIn
eWJlARAAtBF3WZo+9ttkC3asKl3/KTon9/z72kd01t9uCxLgexh+2BFAa6nFLLem
HlFQztcdvcZqcX3AbCZkFsXjsWOqtDv2HCewwEFKxex6UHf1NM+WI883y3Nfv8bH
Fnxu8Ao8iC67W1bdZXfVeqXwGr8YOy0sTyG0R33bsoGyiYUTAc0FXjIn2ROn4lMV
vkz0XwcQER7xCah9ow4h7dSkO3ERJfMQBD4ekaSBdpZnVaYGuBN6JSBJtlyK7Tel
aDKOYaeJZ9yAOL+wFBVGu6/xTIAfWLCj0ks9K9YI6fX2YhSshy6aazxzuURtTHiH
hBOi4kRX9lKMaIz1b9aKb0p1X4uePcdWsP6UaOgaFimgxpUSgUlz9SiKdaG58sKq
xmZsnFGgkssCqm1Cdr2EGxU6VJ+uBqzmW0bCD7grdSeuqY+N9o1xDT4pdRWueTmD
RSYUn8uA+lAN2mgy5Fnj4Ys0NSPjCpoWXyevHhm+7xwuIXrFM77B5q4QudQh2rhL
ryrudPHI+fyxSJuin9bTd7SncLHSa1eu06adfVEtuYJC8KRb/tokVeUbsFsKR/AI
eedmRE2RdonXn4XiuBtdO8pLj6lkLtA2ir68fEtVD2Hyxj1ht9PPjuHWVQzlBBSB
GXa1yhfOxn2/cNd8DLFpML2v2dGkok8ekjuyfYgIbdQ6othn4SM=
=BZgC
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWg0XcIx+lLeg9Ub1AQgYGBAAjDU3SLIyRMilbYxL1sEoDrGjK3T4TEsl
3vP7VZjEPgfDi/G7ghEwyOg22lXCE3iz+VPD0HYBnwDyrnp7Nz8HjB2BuyR9Fj+B
MDRJuK2UI/P1+iBCoIbgsBiXKB2vKp22YMqW6ZhcQ7FTyA2SRmyAJGswJxWJwrrs
uFe7e7TfRnWJLiEiWJ8qoYHHVZATCkEDdsFizPQMbk6Gs55slJooS97XoWKrtkZK
duz+73FIl0ReXSOim10Mm9007MekmxJqktaWLHKzSMEVa+nV7flj4XmH6f3GZ0KE
oo5+leey837dN8YWgom5F3zooeexv25W2d29e076iXHb7X4lkyN6tt9QX8tvfhFs
jNeL/S0HUuarlGcQDrVIgqSbOHvQf3jEDPcKLVAOBKLXL0WR+xGJ8RImqFpZJ+Dv
Yla5GcYnnsEumKJPhyfQsorW9YPjliaU71UgIOKoTHm+qpTJ7ox3tDD3WKrASh8h
aoIvq1ksNnjNQaJVFbrEwYDAa8lGnroIwX1/zXMqAoDJL2+6eD2rT/hsWI2fg8gE
8IhtqORSl1PGLVQvVcxc/Bloeig5O2PClmONPTTxmTEVwun10uNWTLqRFWi/JTJL
gVpzFaQUWJNTk2nd7e2LJA83lC535wFmb5ohc44GUKzol/lR2ezIpoVSHL/TruWY
C1M4j/76umk=
=CwJX
-----END PGP SIGNATURE-----

« Back to bulletins