ESB-2018.0413 - [Debian] simplesamlphp: Multiple vulnerabilities - 2018-02-09


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0413
           [SECURITY] [DLA 1273-1] simplesamlphp security update
                              9 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           simplesamlphp
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
Impact/Access:     Cross-site Scripting           -- Remote with User Interaction
                   Provide Misleading Information -- Existing Account            
                   Unauthorised Access            -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-6521 CVE-2017-18122 CVE-2017-18121

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : simplesamlphp
Version        : 1.9.2-1+deb7u2
CVE ID         : CVE-2017-18121 CVE-2017-18122 CVE-2018-6521
Debian Bug     : 889286


simplesamlphp, an authentication and federation application has been
found vulnerable to Cross Site Scripting (XSS), signature validation
byepass and using insecure connection charset.

CVE-2017-18121

    A Cross Site Scripting (XSS) issue has been found in the
    consentAdmin module of SimpleSAMLphp through 1.14.15, allowing an
    attacker to manually craft links that a victim can open, executing
    arbitrary javascript code.

CVE-2017-18122

    A signature-validation bypass issue was discovered in SimpleSAMLphp
    through 1.14.16. Service Provider using SAML 1.1 will regard as
    valid any unsigned SAML response containing more than one signed
    assertion, provided that the signature of at least one of the
    assertions is valid. Attributes contained in all the assertions
    received will be merged and the entityID of the first assertion
    received will be used, allowing an attacker to impersonate any user
    of any IdP given an assertion signed by the targeted IdP.

CVE-2018-6521

    The sqlauth module in SimpleSAMLphp before 1.15.2 relies on the
    MySQL utf8 charset, which truncates queries upon encountering
    four-byte characters. There might be a scenario in which this allows
    remote attackers to bypass intended access restrictions.

For Debian 7 "Wheezy", these problems have been fixed in version
1.9.2-1+deb7u2.

We recommend that you upgrade your simplesamlphp packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlp9EV8ACgkQhj1N8u2c
KO/K4hAAlIP/4Ps1uZHL5Y2rzG49Kjp/zc8MJfq5oLYvOwDS9vIL2T2IgMJyBupy
ZSLtgFk7IHQBM8D7E9CZXp7jI9RVzvAgdEwCN2F9Of/AdcvUOqY9Cwxeb46+ucol
sHielH22DJyzXJQUfydc1XV8znk33hK5Ooi8Vd06d5fd+HJ32/h4TbY4OqyIu+ux
Lxz+jqYks3hbhqwWa6opuekiZLRxBX0/QE6DCpfFRsgXDI0sl3btSRLPfC6EO2do
CUq8tCafL3NxhRjRaJ4+KPtwlarME41joA4hLX3JT+TNvmTA/Mr1LR1Pm+2CtiSm
qttXM0bljJHMGMp9BRt9apz0bqcOfka9npRmfvMXQRbEMlKKIGjf+HFtXWCU1tNo
2llodH037vC1u/fRah7+O4GQryWIJGdV3McdtsOTSx26IhSRXbP9cnEGZUfNTh7F
GS8jC3z9ueEAe6cGlTjeYcZPxKPbJ3pYWyA7Ud+5n0SmuJeFcoFyijR2Gf76nitu
54flMWf618K2Cur3ejLwnXmYq1Bhge+aHN0ej6Kq9T0YpkoCUstHhk0VdMVwcrfe
h8n+JOovgPaxhqkW2/P/wuWYoa/5k+vH1qwz0/vReWkOfJO3grkplvjB1YluD/Dj
2h81jxBCdEYdfPemHA2QkIaEeI7pwlAlMK0DmMr9MTZ0iz3YDvs=
=CeUf
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWn0gI4x+lLeg9Ub1AQi7sQ/+M86vWY4BM4Z0m4RXjn9HBd+Bhyi9WyPv
+kg/kboM5VNBKJprEoYZ1Zt2RYp7URaSQymlQ9kU+J+BpgrT0bTpgSCgnpFkz6mh
qkN0NEcEQSvz0MzTliBneVcKV9D01nNWVoXg1PP+TpknwoM2nv+ielAZlJkBEzGc
EAseWOuMiTK1BW2aXie+pL8HDSpbCiauY1/HOZehlClaGG9rebI/1cqIqIL1Y2G8
fdZy2tdEty1s+w2eekq8sI9E8rrHIW5VyGxr0t4Ld5B/W3CQgZCsZAGnhYz4lvaI
kpKnwvdEF7E+mIPNbAV9gX+FdIky6HP5+9Pz6YJWXu4DfGHIjm7cKrFVAIQLsUSY
qDNiDEhRmtufX5QtkdJ/HKdbD8Shhb7EpoBHp0LFnB8EJmOP1VHXcLYkmE+xu3Hy
UdzgYI98N/bxmUnUxSn7hBme9z957htyvyB+3QsWNJ1Vr38cjdncvC8r739vDhmx
oqUADPcOjNb+BlOLd3cJUuNZSZoUg8pSmbdKpZJtxF3GL1BPJWdAoTbwrlUz/9+n
BkWodIrV4xAKosyOBMPdAnpnNisqFSiwxv2EmQtKbh3d4SaC5vL8Ja8Qgwxfrwij
nihhKAjUvBGGWx+yp9gcYRfToVROQr/b8o+BWNiyR6IZy9WoLsfcn1jyNO98LPLz
b3yZrbtl6N8=
=jl29
-----END PGP SIGNATURE-----