Operating System:

[WIN][LINUX][HP-UX][Solaris][AIX]

Published:

02 October 2012

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2012.0935 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0935
         Tivoli Federated Identity Manager - Multiple Protocol XML
                        signature validation bypass
                              2 October 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Tivoli Federated Identity Manager
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-3314  

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21612612

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Tivoli Federated Identity Manager - Multiple Protocol XML
signature validation bypass (CVE-2012-3314)

Flash (Alert)

Abstract
Tivoli Federated Identity Manager (TFIM) accepts specially crafted messages
that can contain invalid or untrusted XML signatures for certain single sign-on
protocols and token modules. TFIM could mistakenly accept a malicious message,
allowing an attacker to perform actions as another user.

Content

VULNERABILITY DETAILS
CVE ID: CVE-2012-3314


DESCRIPTION: 

There are three related issues that can lead to this exposure. Each of these is
described later in this section. All issues have the same consequence, which is
that an attacker can submit a crafted message resulting in an authenticated
session for a valid user account being created and the attacker having control
of the session, thereby impersonating the valid user. The attack does not
require that the valid user authenticate or perform any other action. The
attack does not require local network access, but specialized knowledge and
techniques are required. An exploit will not impact accessibility of system
resources but both the confidentiality of information and the integrity of
transmitted data could be compromised.

1) Incorrect error handling 
SAML message components are supposed to be digitally signed, and TFIM is
supposed to check the signature. However, if an attacker sent a specially
crafted SAML message with certain elements unsigned, TFIM would accept the
message without checking the signature. 

2) Incorrect element validation
XML messages containing digital signatures elements are routinely validated by
TFIM. XML digital signatures elements are generated for and valid only for
specific nodes/elements in any given XML document. Consequently, any code which
validates XML digital signature elements must correctly use the precise
node/element that the signature was generated for. Under certain conditions, a
malicious XML message with digital signature elements can be crafted which
causes TFIM to use the wrong node/element for validation. 

3) Incorrect certificate path validation.
XML signature validation uses certificates. These certificates can either be
contained in the TFIM keystores or included within the XML signature element.
When the signing certificate is included within the XML signature element, the
validation process is not correctly establishing the trust relationship by
validating the certificate chain of the received certificate. 


CVSS Base Score: 5.8
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N) 
Details: http://xforce.iss.net/xforce/xfdb/77795 


AFFECTED PLATFORMS
All versions of Tivoli Federated Identity Manager are affected, including those
no longer supported. Customers still using versions that are out of support
should upgrade to a supported version to obtain the fixes for this
vulnerability.

Affected supported versions:
	Tivoli Federated Identity Manager versions 6.1.1, 6.2.0, 6.2.1, 6.2.2
	Tivoli Federated Identity Manager Business Gateway versions 6.1.1,
	6.2.0, 6.2.1, 6.2.2


REMEDIATION: 

Vendor Fixes: Patches and installation instructions are provided at the URLs
listed below.

Fix			Build		APAR	Download URL
6.1.1-TIV-TFIM-IF0013	6.1.1.13	IV23448	http://www-01.ibm.com/support/docview.wss?uid=swg24032923
6.2.0-TIV-TFIM-IF0011	6.2.0.11	IV23445	http://www-01.ibm.com/support/docview.wss?uid=swg24032920
6.2.1-TIV-TFIM-IF0003	6.2.1.3		IV23442	http://www-01.ibm.com/support/docview.wss?uid=swg24032922
6.2.2-TIV-TFIM-FP0002	6.2.2.2		IV23435	http://www-01.ibm.com/support/docview.wss?uid=swg24032786


WORKAROUNDS: 
None

RELATED INFORMATION: 

	Complete CVSS Guide
	IBM Secure Engineering Web Portal
	IBM Product Security Incident Response Blog


*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information
Segment		Product			Platform	Version
Security	Tivoli Federated	AIX, HP-UX,	6.1.1, 6.2,
		Identity Manager	Linux, Solaris,	6.2.1, 6.2.2
		Business Gateway	Windows			

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUGps6+4yVqjM2NGpAQKZzA/9GLQy+orT24kZ/03Kq2Imxvc3yHJsMKe9
kX+mKMUwPeMEGh7x4OjDH+DfGf0VDrvL+xDolAdEN3Cabne3ISYSyQqlev3fbSH4
jCM4PtHH+HkxFNvrQlLoTorlSCfekxPygv3/+LogR+mE5/H/a3nBMB2B4spJKVXZ
C/EkHZYrzf/HM3UxjYtYeVo5/4ovbNw/UdQvzSQt1+HRYDL+F8pDR8xsnZ4IBElx
Lf6Z3B0p0Ml9pyaImz6jLducv9IEIQAGK660whgSyCZmKo7NXnub6FwH+377WsGz
lh3wA1XDfokMX+pQLFsaD8D9jamSPYmLqNhnLRRDXRUnFN4lDX6capreyYaajwaW
eVj6PZZQZQ9AZWkHW8BBewytAVZnQ8JTtwboJOge5mF0H1ZvxnkgSrEtkkHq78pW
Hi1Rb3RuJFZFrQAWp3Ex9KBtuFU5PYFVPMf2ZI06MM3FAFJQpZr4iXWiRdKygwlA
X5mlMwlyEZyDQ1n89kBCzkM52OUdA2bXJqlvswAj2Q5SJN8/kldC/z4kEp7gleFK
oIuerTcF+tIcQRznefde3PhA+I9iWbOweC8Vvhz89ECIEmZJ3gFKAfTDNfFG4HFF
5KIajxb1KUkVTSy7pYuMr7GJkfedoD97815d3c8K7NNQsiJ5qtR4zn2ojPVRQ/JQ
zohWvv9Rl3o=
=SQ4w
-----END PGP SIGNATURE-----