Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0416
CA20130319-01: Security Notice for SiteMinder products using SAML
21 March 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: CA SiteMinder
Publisher: CA
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Increased Privileges -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2013-2279
Original Bulletin:
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
CA20130319-01: Security Notice for SiteMinder products using SAML
Issued: March 19, 2013
CA Technologies support is alerting customers to a potential risk
with certain CA SiteMinder products that implement Security Assertion
Markup Language (SAML). Multiple vulnerabilities exist that can
possibly allow a remote attacker to gain additional privileges. The
vulnerabilities, CVE-2013-2279, concern the verification of XML
signatures on SAML statements. An attacker can perform various
attacks to impersonate another user in the single sign-on system. A
solution is available, see details below.
Risk Rating
High
Platform
All platforms
Affected Products
CA SiteMinder Federation (FSS) 12.5
CA SiteMinder Federation (FSS) 12.0
CA SiteMinder Federation (FSS) r6
CA SiteMinder Federation (Standalone)(1) 12.1
CA SiteMinder Federation (Standalone) 12.0
CA SiteMinder Agent for SharePoint 2010
CA SiteMinder for Secure Proxy Server 12.5
CA SiteMinder for Secure Proxy Server 12.0
CA SiteMinder for Secure Proxy Server 6.0
Note:
(1) CA SiteMinder Federation (Standalone) was previously known as CA
Federation Manager.
Non-Affected Products
CA SiteMinder Federation (FSS) 12.5 CR2
CA SiteMinder Federation (FSS) 12.0 SP3 CR12
CA SiteMinder Federation (FSS) r6 SP6 CR10
CA SiteMinder Federation (Standalone) 12.5
CA SiteMinder for Secure Proxy Server 12.5 CR2
CA SiteMinder Agent for SharePoint 2010 SP1
CA SiteMinder Web Access Manager, all releases when not using
Federation capabilities
How to determine if the installation is affected
Check the Web Agent log or Installation log to obtain the installed
release version. Note that the "webagent.log" file name is
configurable by the SiteMinder administrator. If the version is prior
to the fixed release indicated in the Solution section, then the
installation is vulnerable.
Products may be subject to this vulnerability when used with SAML
1.1, SAML 2.0, and WS-Federation protocols. For more details on
potential mitigations, please see the Workaround section below.
Solution
CA Technologies issued the following updates to address the
vulnerability. Updates are available through the Download Center on
the CA Technologies support.ca.com website.
Affected Release
Remediated Release
CA SiteMinder Federation (FSS) 12.5
CA SiteMinder Federation (FSS) 12.5 CR2
CA SiteMinder Federation (FSS) 12.0
CA SiteMinder Federation (FSS) 12.0 SP3 CR12
CA SiteMinder Federation (FSS) r6
CA SiteMinder Federation (FSS) r6 SP6 CR10
CA SiteMinder Federation (Standalone) 12.1
CA SiteMinder Federation (Standalone) 12.5
CA SiteMinder Federation (Standalone) 12.0
CA SiteMinder Federation (Standalone) 12.5
CA SiteMinder Agent for SharePoint 2010
CA SiteMinder Agent for SharePoint 2010 12.5.1
CA SiteMinder for Secure Proxy Server 12.5
CA SiteMinder for Secure Proxy Server 12.5 CR2
CA SiteMinder for Secure Proxy Server 12.0
CA SiteMinder for Secure Proxy Server 12.5 CR2
CA SiteMinder for Secure Proxy Server 6.0
CA SiteMinder for Secure Proxy Server 12.5 CR2
As the fix introduces additional checks on the validity of assertions
and other signed XML messages, it is possible, although unlikely, that
an existing partner may send assertions that fail the validity check.
If this happens, we recommend that you have the partner fix the issue.
If this is not possible, and you are willing to accept the risk of
disabling enhanced signature validation, you can do the following:
1. Navigate to the xsw.properties file in one of the following
locations:
*If you see the error message in the smtracedefault.log file, go to
fed_mgr_home/siteminder/config/properties
*If you see the error message in the fwstrace.log, go to
fed_mgr_home/secure-proxy/tomcat/webapps/affwebservices/web-INF/classes
2. Add the following settings to the xsw.properties file, and set each
one to true.
DisableXSWCheck=3Dtrue
This disables the signature vulnerability checks, and only applies on
the policy server.
DisableUniqueIDCheck=3Dtrue
This disables the duplicate ID check, and applies to both locations.
This change should be made in both locations.
Workaround
Please note that SAML 1.1 and SAML 2.0 artifact transactions are not
affected, as SSL transport layer security is used to protect the
contents of the assertion.
To reduce exposure when SAML 1.1 and SAML 2.0 POST are used, please
ensure that assertions are both signed and encrypted, *and* the key
used for signing the assertion has not been used to merely sign
anything else that is publicly available (for example metadata). In
that configuration, the assertions should not be vulnerable, as the
encryption hides the signed block, and a potential attacker cannot
get a valid signed XML block to use in the substitution attack. Given
the difficulty in determining whether or not your signatures have
been compromised we strongly recommend upgrading to address the
vulnerability.
References
CVE-2013-2279
"On Breaking SAML: Be Whoever You Want to Be", USENIX Security 2012;
Juraj Somorovsky, Andreas Mayer, Joerg Schwenk, Marco Kampmann,
Meiko Jensen
CA20130319-01: Security Notice for SiteMinder products using SAML
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg
Change History
Version 1.0: Initial Release
If additional information is required, please contact CA Technologies
Support at http://support.ca.com/
If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team:
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg
Regards,
Kevin Kotas
Director, CA Technologies Product Vulnerability Response Team
Copyright (c) 2013 CA. All Rights Reserved. One CA Plaza, Islandia,
N.Y. 11749. All other trademarks, trade names, service marks, and
logos referenced herein belong to their respective companies.
- -----BEGIN PGP SIGNATURE-----
Charset: utf-8
wsBVAwUBUUjib5I1FvIeMomJAQGtYwgAkE1ExBVI4lGkptHGugNY8wwejzlDzHN0
ef7J6F5t06j8eziTMeczaupH22ydFPkMC5iTmXWqafLzX4kmFGzISVIOlrdqFfdK
nkACsZyzl2NogjgIa3fEp0ZpV1T7q+wSpyCnHYCDLr57BFn1a2ZBeQqqBfibye+A
ZlyHGtEJnfS+H8/ZmS5voU/AliFwj3WOkaIvUFk5gK+tbzipkiQhdvoHPTSlIPZB
+0VQpfVAGG2SVKXn4QTPz/zeY3/JX7SjA0Q9hLVuYe0acCPc+6Q8hGIRmfd7czEb
G41+7S+EDdjJy3c5IzUc1FNvUZJ3IDpolH/jc9nyYgmYNzHvDtfv5A=3D=3D
=3DN0tz
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUUqddu4yVqjM2NGpAQKTixAArM+9Zdim8xJtAsnyiS1TfyXySwRriwOk
UhcIp9uhgQiDxu4z9oNSwciUkj9TzjYQZDuNiNBwlWQjRcJ9i1CrFjNM2FvMHTpX
MzeAFXRBVGAPa/d1eEA+Bv39FjaJKV4WwkHH/0OllKrl/hWq/umeCp2gG+cuHevx
n8mkbtoeLXxoTs3C8cZN06dc56W7mMkJ4xo8GqSJnthjd4gr39an16/y4HvAK7W9
UTGj08a2hBlZAq+GwUgDi5OW6fR/e8VyAN0DB7pLxlPlhFlVhxUpCcVUYEJdhp55
cp0NfUIK3iIltN7q0Sc8S0YriIVW456ZcaiCqlD8ltbhrmj5VpqhTQdUihdkERvj
MfXD4DQrvvFe8NSiZ6seXTSZGO2vJvWfMoeW1UnWWv3X/Gewh7GURwoBxClxA0f+
4hbJYaogiMEJBoCfoOtFwXVlhEaGBN6Ma2DofveiE9iFK7uKfifw3NnOTL5j/+PI
embdQTyZgBQXWLHXgQTF/06TlfaI4PbgA9w5qTOYmoNeNV0KGnoKyUFxWX76kjci
7MtLZG9rqYtzFJKHP4v4GRVS3VScPEaVmottuc+3OQwqAt4LhOtWZaB0qI+/rmL/
geFO3l2xvP1dVNyOAfrzFSkL2QDceyccYmKh82utJpc4+8FiL0XQZDOKWczF48Aw
qsRSd6sVoy0=
=OG8l
-----END PGP SIGNATURE-----