Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2991 Shibboleth Service Provider Security Advisory [31 August 2020] 1 September 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Shibboleth Publisher: Shibboleth Operating System: Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: https://shibboleth.net/community/advisories/secadv_20200831.txt - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [31 August 2020] An updated version of the "modern" module for Microsoft IIS V7+ is available which corrects a denial of service vulnerability. IIS module fails to trap exceptions raised by network socket failures ====================================================================== The modern IIS module contains a flaw that fails to catch and handle exceptions that occur on a particular code path that results from failed attempts to read data from the HTTP client socket. This manifests as a crash in the IIS worker process along with a fatal log mssage in the Windows event log. Because it is possible experimentally to trigger this condition remotely, it results in a potential denial of service condition exploitable by a remote, unauthenticated attacker. This issue is specific to the newer IIS module and does not impact the older ISAPI filter/extension or the Apache modules or any other SP integration variants. Recommendations =============== Update to V3.1.0.2 or later of the Windows installation package, which is now available. The fix is being distributed as a Windows service update (the fourth digit) rather than a full patch since it is isolated to a DLL specific to the Windows package. Other Notes =========== The cpp-sp git commit containing the fix for this issue is a2cfc1526b86d36d2afd921a1bf1029e79af4267 Credits ======= Jos Groot Lipman from Aareon Nederland B.V. URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20200831.txt - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAl9M6okACgkQN4uEVAIn eWLzVw/+I9r4X2TwTk53OqSqTEPAf7HcbO8IRLmdHBTrAH7E8edXxycMa+gi7KpH hRgWx3Bt16y+5O5lauwXzrH3HZawgaDoLP5tdfVyjiVo6+brD3C40l76BAGNWdR0 yYOKnuHJr72aQdchrWZ2cOZd6p2ImjC35tJl4armoV+gru28UpVZ/Pnvr/OkWfVh no8hqGyPVu/fO4jlnNxqyK3tbXy1mM4xQiNwjL8NpkgfmYlcL5JBLIG78etX6HST q6DVMS9pG7l2svcIZAPOF+ReDbRIuVZlEtq3Fth5PGZz8QP1SIu/Uv4Rn4xOBHu7 F1zDINFbAiga7ZJ61XsTT9IHzxhiDjqsTlYXzZOekqdHHpON15N++kfGAN0burHv b8qHx2KIWCHHl70N4McNoyfu7/x4b2rRssK7L/ymY2g1B/xqHJlcK3ZWG/b7mZGX jeCo8rnkxDNJ0SMBYVjnracZmHLWasJa2EkBi+DQurqYJFQdX30rSlhQnVTpicvc AkNBr0uHUvSpUqjwvjz6EXS1Zh7GGYwjyq5wWSlG+nHps+EOz6uzRXgxdV1MZBto LpXLJXHGbiGBO9LuvSYTHxlldFqKCrAmqLMA4+CyLJE3CES+o3rYDds9oywnlChu T9mvNz4xUNyJwur4ZiIlMHqK/i9d9iqg4cCi13l+sTkwGMHkVvg= =iXxa - -----END PGP SIGNATURE----- - -- To unsubscribe from this list send an email to announce-unsubscribe@shibboleth.net - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX02mjeNLKJtyKPYoAQhqIQ//WiCRRyRaOFNhF3PWO7+oyNcCVObjeJ7C Al5tQglmSLKS2wUw3W9OUh6iy+HRjIfcSvtvVtEyvV+aaoMBKfIWLXBM7uk3LweL r/Jgno/uTTTeS6KMyl5qzcFOUkgeXl4SWiasaPsQnRu1LXI1QCGkhVzAoQBLNG+C JpFsnC9tZc1OxcM8R0moRHHQFqSlQ0g9C2dL6iLRVDouEqXTpM03KhmwVazdGKFJ TlPFpBLGwao9NhYvPgqS7RfTDHj4oiX9cXZAeroe/srq/UcuYCplbdripi7gtd4i xwGbgoDS2qCa5CC9oM5/XPQxL6J/IB4U0VA/rNZe+31Ju46m4CV+aGZAobYPZf/p K7yAOEipaqN06qyrjc5nOYjCxVagWEeu78IrixoiAsfTG2F5/WESPGR9Cu6iOT9F ESn9iMDLgSQG390aBnqDh7yKuLrwQ6rM+/Lh2Y8m1kkhQE3WxvF5sKIuLtVtCNEu utGP6zZTAUXVGRNX9pYqDv1WUWMyzkYC5wE75qTQsSTmpuFESkJN2nQWc4FxKCBx b4IvdZMk4QtYRVEPBCSsZwCp8Fey7Njp8znQiFbGCd6nMKzQn4ybAFyPHjOKtRp6 oeoFt+QMQW8Tc7EJ8CEG9pl5yX5NOtu6KhJWwiSGojsLThvx/85eRd3fOLzy3ZWc vUy9E4wPkyA= =Q/8W -----END PGP SIGNATURE-----