Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1443 SAML Authentication - Moderately critical - Access bypass - SA-CONTRIB-2021-006 29 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Publisher: Drupal Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Unauthorised Access -- Existing Account Resolution: Patch/Upgrade Original Bulletin: https://www.drupal.org/sa-contrib-2021-006 - --------------------------BEGIN INCLUDED TEXT-------------------- SAML Authentication - Moderately critical - Access bypass - SA-CONTRIB-2021-006 Project: SAML Authentication Date: 2021-April-28 Security risk: Moderately critical 14/25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Access bypass Description: The SAML Authentication module allows users to authenticate against a SAML identity provider to login to your Drupal site. The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to log in through the identity provider. This creates a scenario where after such a user is blocked from logging in through the identity provider but not explicitly blocked in Drupal, they are still able to log in by sending themselves a Drupal 'password reset' e-mail. Solution: Install the latest version: o for all versions of Drupal 8/9, upgrade to samlauth 8.x-3.1. o for Drupal 7, upgrade to samlauth 7.x-1.1. Reported By: o Bobby Gryzynger o Mark Shropshire Fixed By: o Bobby Gryzynger o Roderik Muit o Jakob Perry o Sascha Grossenbacher o Cameron Eagans o Drew Webber of the Drupal Security Team Coordinated By: o Greg Knaddison of the Drupal Security Team Contact and more information The Drupal security team can be reached by email at security at drupal.org or via the contact form. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter @drupalsecurity Contributing organizations for this advisory o Mediacurrent o Acquia o MD Systems o Morris Animal Foundation The security team is made up of volunteers around the world. The companies above have sponsored time on this release. Thank you to these Drupal contributors Top Drupal contributor Acquia would like to thank their partners for their contributions to Drupal. Third and Grove Acro Media MediaCurrent QED42 CI&T FFW Palantir.net Lullabot Four Kitchens Phase 2 Srijan - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYIn0v+NLKJtyKPYoAQg7pQ//dN9pSuJnjTppyh0UqhYCSUDn9qozybt7 UPZDThlcsNldD6VfCbsuZcexohO+4H0/D/hYTV7mHL3ehb3iLkuda/aaF2oEsU7Y SkbKop0bLmiDkM6k56woPZ5jvnYDbJkXr8C1uzi0hIBkEx7b7gKThe4CtbWAIHad 0/2C5eoPm6U8BNNFo32A0XAfDceacgrDlf+xwczjtKui5DfsJQObpICNLkCBoMKL TcRy8AbxD4AyH/+IT4QjJEE8fyYzidfnMZa+7aTkRkDIpUDnnsXf4+NMwo9OS1yO KC/7IrsRcY1bevyyAIwFDdGJEJ/fJsKGNFKO5kkQJ2ZSD3TPCmkqP6SYptl3VbHX 0MUB9Ywn872E2gdVvasLAPwmhQuR/2MKcxTSrinZXKqIfqsrdaXlo31NcOB8VcHt o5Db24MrHgdgNRpfe2tdEwaDzjld8p2UfSO0PhNmQ41wASNYupnUXcwhqElnCOBQ t9cse/LGAJzfMe+hK4QvlCLAQ1eN/GWY+lOqiAZVxVQ+UAEqHaVx0kqvECixXhL0 FH6m26AeO2w3VXauJ7kOWUL8sBApFt/mzcRuO7trZoqv+BYX+PrVciZj2igP3pvZ jUOmWR48HXN3bXy5VTbCwekxFV6EvSfJJM9koo8kG3fZzz0CDq36NgrXRI/7WGAT bhw+tJUMtGs= =MvgI -----END PGP SIGNATURE-----