Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                Shibboleth Security Advisory [25 July 2011]
                               26 July 2011


        AusCERT Security Bulletin Summary

Product:          Shibboleth
Publisher:        Shibboleth
Operating System: Windows
                  UNIX variants (UNIX, Linux, OSX)
Impact/Access:    Unauthorised Access -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2011-1411  

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA512

Shibboleth Security Advisory [25 July 2011]

Updated versions of the Shibboleth Project's OpenSAML software in
Java and C++ are available which correct a security issue.

This general issue affects BOTH Identity and Service Provider
deployments, so a single advisory is being issued for both.

For the Identity Provider, this issue is rated as "important". An
unauthenticated remote attacker could leverage the flaw to obtain
unauthorized access to user data under certain circumstances.

For the Service Provider, this issue is rated as "critical", and
allows an unauthenticated remote attacker to access protected

Deployers should take immediate steps as outlined in this advisory
and apply the relevant update(s) at the soonest possible moment.

OpenSAML software is vulnerable to XML Signature wrapping attacks
The Shibboleth software relies on the OpenSAML libraries to perform
verification of signed XML messages such as attribute queries or
SAML assertions. Both the Java and C++ versions are vulnerable to a
so-called "wrapping attack" that allows a remote, unauthenticated
attacker to craft specially formed messages that can be successfully
verified, but contain arbitrary content.

Identity Provider Vulnerability
- - -------------------------------
The Identity Provider software relies on the Java version of OpenSAML
and is vulnerable to attacks when XML message signing is used in place
of TLS client authentication for requests such as attribute queries or
SAML artifact resolution. It is also vulnerable to attacks involving
signed AuthnRequest messages, but these are not critical in most
deployments. Some vulnerabilities also exist with use of the extension
that supports delegation of user access, which is not included with the
core software, but available as an add-on.

All versions of the Identity Provider software prior to V2.3.2
ship with a version of OpenSAML containing the vulnerability.

Some mitigation for these attacks is possible by disabling support for
accepting signed messages. See below for information on this option.

Identity Provider Recommendations
- - ---------------------------------
Upgrade to V2.3.2 of the Identity Provider software to obtain the
corrected version of OpenSAML (V2.5.1), per the normal upgrade process:


If you cannot upgrade immediately, you may mitigate the attack by
disabling support for message signing in the security policies
defined near the bottom of "relying-party.xml" by commenting out
all <security:Rule> elements with
xsi:type="samlsec:ProtocolWithXMLSignature" and restarting your
Java container.

Service Provider Vulnerability
- - ------------------------------
The Service Provider software relies on the C++ version of OpenSAML
and is vulnerable to attacks when handling authentication responses
from IdPs. This allows an attacker to subvert the security of the
system and supply an unauthenticated login identity and data under
the guise of a trusted issuer.

All versions of the OpenSAML library prior to V2.4.3 contain this
vulnerability. Note that this refers to the OpenSAML version, *not*
the Shibboleth version. To determine the version you're using:

- - - Windows: check the DLL version for saml2_4.dll in your installation's
lib folder (anything older than saml2_4 is obviously too old)

- - - Linux/RPM: Check the package version using "rpm -qa | grep saml"

- - - Macport: Use the "port installed" command

Do not rely on log files for version determination, as this can be
inaccurate and may refer to the version against which the software
was compiled.

There are no known mitigations to prevent this attack apart from
applying this update. Deployers should take immediate steps, and
may wish to disable the use of the SP until the upgrade is done.

Service Provider Recommendations
- - --------------------------------
Upgrade to V2.4.3 or later of the OpenSAML library and restart the
shibd service/daemon.

Sites relying on official RPM packages or Macports can update via the
yum and port commands respectively, but should manually restart shibd.

The updated library has been built into the Windows installation kits
for V2.4.3 of the SP software, and can be found in the "postinstall"
ZIP kits provided for SP update. *Any* version of the SP since 2.0
can be safely upgraded by unpacking the latest postinstall ZIP
over top of the original software. One exception to this: Windows 2000,
which has not been supported since V2.4 was released.

Note that older Windows installs may not have the latest Microsoft
C/C++ runtime libraries present. Installation kits for both 32-bit and
64-bit runtimes can be found here:


For those using platforms unsupported by the project team directly,
refer to your vendor or package source directly for information on
obtaining the fixed version. If the update from your vendor lags,
you should consider building opensaml from source for your own use
as an interim step.

- - -------
Juraj Somorovsky, Andreas Mayer, Meiko Jensen, Florian Kohlar,
Marco Kampmann, Jörg Schwenk
Horst Görtz Institute for IT Security,
Ruhr-University Bochum

Thanks to Juraj Somorovsky for working with the developers to
explore and address this issue.

URL for this Security Advisory:

The OpenSAML portion of this advisory has been assigned
CVE-2011-1411 by the National Vulnerability Database.

Version: GnuPG v1.4.11 (Darwin)


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967