Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0416 CA20130319-01: Security Notice for SiteMinder products using SAML 21 March 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: CA SiteMinder Publisher: CA Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2013-2279 Original Bulletin: https://support.ca.com/irj/portal/anonymous/phpsbpldgpg - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- CA20130319-01: Security Notice for SiteMinder products using SAML Issued: March 19, 2013 CA Technologies support is alerting customers to a potential risk with certain CA SiteMinder products that implement Security Assertion Markup Language (SAML). Multiple vulnerabilities exist that can possibly allow a remote attacker to gain additional privileges. The vulnerabilities, CVE-2013-2279, concern the verification of XML signatures on SAML statements. An attacker can perform various attacks to impersonate another user in the single sign-on system. A solution is available, see details below. Risk Rating High Platform All platforms Affected Products CA SiteMinder Federation (FSS) 12.5 CA SiteMinder Federation (FSS) 12.0 CA SiteMinder Federation (FSS) r6 CA SiteMinder Federation (Standalone)(1) 12.1 CA SiteMinder Federation (Standalone) 12.0 CA SiteMinder Agent for SharePoint 2010 CA SiteMinder for Secure Proxy Server 12.5 CA SiteMinder for Secure Proxy Server 12.0 CA SiteMinder for Secure Proxy Server 6.0 Note: (1) CA SiteMinder Federation (Standalone) was previously known as CA Federation Manager. Non-Affected Products CA SiteMinder Federation (FSS) 12.5 CR2 CA SiteMinder Federation (FSS) 12.0 SP3 CR12 CA SiteMinder Federation (FSS) r6 SP6 CR10 CA SiteMinder Federation (Standalone) 12.5 CA SiteMinder for Secure Proxy Server 12.5 CR2 CA SiteMinder Agent for SharePoint 2010 SP1 CA SiteMinder Web Access Manager, all releases when not using Federation capabilities How to determine if the installation is affected Check the Web Agent log or Installation log to obtain the installed release version. Note that the "webagent.log" file name is configurable by the SiteMinder administrator. If the version is prior to the fixed release indicated in the Solution section, then the installation is vulnerable. Products may be subject to this vulnerability when used with SAML 1.1, SAML 2.0, and WS-Federation protocols. For more details on potential mitigations, please see the Workaround section below. Solution CA Technologies issued the following updates to address the vulnerability. Updates are available through the Download Center on the CA Technologies support.ca.com website. Affected Release Remediated Release CA SiteMinder Federation (FSS) 12.5 CA SiteMinder Federation (FSS) 12.5 CR2 CA SiteMinder Federation (FSS) 12.0 CA SiteMinder Federation (FSS) 12.0 SP3 CR12 CA SiteMinder Federation (FSS) r6 CA SiteMinder Federation (FSS) r6 SP6 CR10 CA SiteMinder Federation (Standalone) 12.1 CA SiteMinder Federation (Standalone) 12.5 CA SiteMinder Federation (Standalone) 12.0 CA SiteMinder Federation (Standalone) 12.5 CA SiteMinder Agent for SharePoint 2010 CA SiteMinder Agent for SharePoint 2010 12.5.1 CA SiteMinder for Secure Proxy Server 12.5 CA SiteMinder for Secure Proxy Server 12.5 CR2 CA SiteMinder for Secure Proxy Server 12.0 CA SiteMinder for Secure Proxy Server 12.5 CR2 CA SiteMinder for Secure Proxy Server 6.0 CA SiteMinder for Secure Proxy Server 12.5 CR2 As the fix introduces additional checks on the validity of assertions and other signed XML messages, it is possible, although unlikely, that an existing partner may send assertions that fail the validity check. If this happens, we recommend that you have the partner fix the issue. If this is not possible, and you are willing to accept the risk of disabling enhanced signature validation, you can do the following: 1. Navigate to the xsw.properties file in one of the following locations: *If you see the error message in the smtracedefault.log file, go to fed_mgr_home/siteminder/config/properties *If you see the error message in the fwstrace.log, go to fed_mgr_home/secure-proxy/tomcat/webapps/affwebservices/web-INF/classes 2. Add the following settings to the xsw.properties file, and set each one to true. DisableXSWCheck=3Dtrue This disables the signature vulnerability checks, and only applies on the policy server. DisableUniqueIDCheck=3Dtrue This disables the duplicate ID check, and applies to both locations. This change should be made in both locations. Workaround Please note that SAML 1.1 and SAML 2.0 artifact transactions are not affected, as SSL transport layer security is used to protect the contents of the assertion. To reduce exposure when SAML 1.1 and SAML 2.0 POST are used, please ensure that assertions are both signed and encrypted, *and* the key used for signing the assertion has not been used to merely sign anything else that is publicly available (for example metadata). In that configuration, the assertions should not be vulnerable, as the encryption hides the signed block, and a potential attacker cannot get a valid signed XML block to use in the substitution attack. Given the difficulty in determining whether or not your signatures have been compromised we strongly recommend upgrading to address the vulnerability. References CVE-2013-2279 "On Breaking SAML: Be Whoever You Want to Be", USENIX Security 2012; Juraj Somorovsky, Andreas Mayer, Joerg Schwenk, Marco Kampmann, Meiko Jensen CA20130319-01: Security Notice for SiteMinder products using SAML https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at http://support.ca.com/ If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team: https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Regards, Kevin Kotas Director, CA Technologies Product Vulnerability Response Team Copyright (c) 2013 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. - -----BEGIN PGP SIGNATURE----- Charset: utf-8 wsBVAwUBUUjib5I1FvIeMomJAQGtYwgAkE1ExBVI4lGkptHGugNY8wwejzlDzHN0 ef7J6F5t06j8eziTMeczaupH22ydFPkMC5iTmXWqafLzX4kmFGzISVIOlrdqFfdK nkACsZyzl2NogjgIa3fEp0ZpV1T7q+wSpyCnHYCDLr57BFn1a2ZBeQqqBfibye+A ZlyHGtEJnfS+H8/ZmS5voU/AliFwj3WOkaIvUFk5gK+tbzipkiQhdvoHPTSlIPZB +0VQpfVAGG2SVKXn4QTPz/zeY3/JX7SjA0Q9hLVuYe0acCPc+6Q8hGIRmfd7czEb G41+7S+EDdjJy3c5IzUc1FNvUZJ3IDpolH/jc9nyYgmYNzHvDtfv5A=3D=3D =3DN0tz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUUqddu4yVqjM2NGpAQKTixAArM+9Zdim8xJtAsnyiS1TfyXySwRriwOk UhcIp9uhgQiDxu4z9oNSwciUkj9TzjYQZDuNiNBwlWQjRcJ9i1CrFjNM2FvMHTpX MzeAFXRBVGAPa/d1eEA+Bv39FjaJKV4WwkHH/0OllKrl/hWq/umeCp2gG+cuHevx n8mkbtoeLXxoTs3C8cZN06dc56W7mMkJ4xo8GqSJnthjd4gr39an16/y4HvAK7W9 UTGj08a2hBlZAq+GwUgDi5OW6fR/e8VyAN0DB7pLxlPlhFlVhxUpCcVUYEJdhp55 cp0NfUIK3iIltN7q0Sc8S0YriIVW456ZcaiCqlD8ltbhrmj5VpqhTQdUihdkERvj MfXD4DQrvvFe8NSiZ6seXTSZGO2vJvWfMoeW1UnWWv3X/Gewh7GURwoBxClxA0f+ 4hbJYaogiMEJBoCfoOtFwXVlhEaGBN6Ma2DofveiE9iFK7uKfifw3NnOTL5j/+PI embdQTyZgBQXWLHXgQTF/06TlfaI4PbgA9w5qTOYmoNeNV0KGnoKyUFxWX76kjci 7MtLZG9rqYtzFJKHP4v4GRVS3VScPEaVmottuc+3OQwqAt4LhOtWZaB0qI+/rmL/ geFO3l2xvP1dVNyOAfrzFSkL2QDceyccYmKh82utJpc4+8FiL0XQZDOKWczF48Aw qsRSd6sVoy0= =OG8l -----END PGP SIGNATURE-----