Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1723
Shibboleth Service Provider Security Advisory [2 December 2013]
3 December 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Shibboleth Service Provide
Publisher: Shibboleth
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-4545
Reference: ESB-2013.1653.2
Original Bulletin:
http://shibboleth.net/community/advisories/secadv_20131202.txt
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Shibboleth Service Provider Security Advisory [2 December 2013]
An updated version of the Curl HTTP client library is available
which corrects a TLS processing mistake introduced in older versions
of the library. Versions of Curl between 7.18.0 and 7.32.0 are affected
by this issue, corrected in 7.33.0.
Refer to the Recommendations section below for specific guidance on
how particular platforms are affected.
Curl library skips TLS server certificate name checking
=======================================================
A bug was introduced several years ago into Curl that caused the
library to, under specialized conditions, ignore the setting that
instructs it to enforce checking of the content of a server's TLS
certificate against the name of the server being contacted.
The Shibboleth SP operates in conditions that trigger this bug.
In most commonly deployed scenarios, this vulnerability does not
have major security implications for deployers. Shibboleth is usually
deployed by embedding specific public key certificates into SAML
metadata for the endpoints with which the SP will communicate with
an IdP. In this case, the name check is superfluous because the key
itself can't be faked.
In a small minority of scenarios, deployers may be relying on indirect
trust evaluation of a server's certificate by embedding the name of a
key into the metadata and specifying Certificate Authority roots of
trust in a Shibboleth-defined extension[1]. In rarer cases, a server
certificate may be part of a chain of trust used to verify remote
sources of metadata; this is not advisable, but is sometimes done in
the absence of a signature over the metadata.
In these rare cases, this issue becomes a critical vulnerablity. If
you are in doubt of your own deployment characteristics, you should
ask for help from the community.
The vulnerability in Curl has been published as CVE-2013-4545.
One additional note: another change made to Curl during the intervening
versions was to implement a more strict form of name checking in which
the presence of a subjectAltName extension in a certificate precludes
the use of the "CN" portion of the subject DN from the check. This can
cause issues with some certificates if the subjectAltName extension is
used to supplement rather than fully replace the use of the CN. The
certificates generated by the Shibboleth software do not have this
problem, but others may. This behavior change is intrinsic to Curl
and is not possible to undo.
Recommendations
===============
Ensure that V7.33.0 or later of the Curl library is used and make sure
server certificates used for TLS do not carry incomplete subjectAltName
extensions.
Where possible, avoid any use of the PKIX trust model at any level and
for any use. It's likely that this trust plugin will be turned off by
default in a future major upgrade because of issues like this one.
Platforms on which Curl is an OS-supplied component, such as most
versions of Linux, will need to ensure their vendor has supplied
an updated package to correct the issue, or (as in the case of Red
Hat 5) provide a version so old that it predates the bug's introduction.
On the Red Hat / CentOS 6 platforms, the Shibboleth Project provides our
own custom build of the libcurl shared library, and the RPM package for
this library has already been updated and published. The version supplied
with the OS is not usable with Shibboleth anyway.
For Windows installations, an updated installer[2] for V2.5.3 of the SP
software has been released that includes the fix.
Updating the SP to V2.5.3 in and of itself is not a fix for this issue.
The updated version has been expedited primarily to facilitate updates
of the libcurl version for Windows installations. Of course, this update
includes additional bug fixes that may be relevant to deployers and
you can review the list of fixes[3].
Credits
=======
Thanks to Scott Koranda of LIGO for reporting the issue to the project,
and thank you to Daniel Stenberg of the Curl project for providing
prompt feedback on the scope of the issue.
URL for this Security Advisory:
http://shibboleth.net/community/advisories/secadv_20131202.txt
URL for the vulnerability:
http://curl.haxx.se/docs/adv_20131115.html
[1] https://wiki.shibboleth.net/confluence/display/SHIB2/PKIXTrustEngine
[2] http://shibboleth.net/downloads/service-provider/latest/
[3] https://wiki.shibboleth.net/confluence/display/DEV/SPRoadmap
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
iQIcBAEBCgAGBQJSnLS4AAoJEDeLhFQCJ3li9fMP/j4No1DC4C7dxISUjzevMplD
HUbNVQ7N2Fvdnob4CnjrmeRTgMxC9qsfWujw1DWdY2jvxrtgCjH3VMxN3xF8XOkH
leTkY1DxPwV4yz1J/ADjG4LitS5amWLXQAlelFjf7/yooP4+Qpu6ncWqAlILC4Vf
qDGRryBv/nfrupIA6PXE7lxelCZa+9MeNEytyEn0AmoA1pD81NNOp8tjtrI7sZR0
AcGexKp7Bcb4Sqp69aWALl4zepY7ZR3WV6NN3FSezV5KNL1VRbaL2NEbx/Gdjd/M
VT9HkRokheTlsRzTmYL+N+WDclPjhdI7X1Cfu7u1Oy1omBXPjg87sKRgzjmmPlqY
BArTJ+Ei/hElnboFANqPGxzlHgIKkd8AVD2pwAau8CNsFKu0jAA8VHXGJ/aAGW20
Ok7C7g2aiKH9Fgt/Xlflc5R89utSgE+Gk/9b6h9q7R/ep9GMsSc1Pa4T4N9XP1mx
ZtzldUKtH0jE3QHcjrj+JahHH/h/bVjsO25SUDeyMOywllPaPIQoWqrwE6l+K/Fb
3PuX61nln9W0ejADAH69c1uAQlzbYKMhkLlsWJLvT5I4Z0+aokMIMirO/jUGhg4B
NCwrWobQjwfFMq2MrUPZFmZ8XeHJk6cr5jlinjDKO/0G9TFT1DOu7M+U9xvJVSKu
AdGSrPn2JVMH7ptmhVSd
=hqvM
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUp1RRxLndAQH1ShLAQKMeg/+KIgWD4w3S7uAY9+CspPVhXFQ9d37agF7
X7SgQ3zCbDQy8UFgyUufjUO5Yc9yAJlFKDYUjQwF5mSvuyVI796CNs0UVPZj2pdb
ND7Oo2OkI05USGRaj2UOopOYh/WK7WrquliuK3hx5hiBseA3gd//sjFr6TzQJBiF
depQVc5aJUhiN/9BIqJ5dOHlJtVs7BLtMftBiWZRrTHAcbKEWmMZmJHYS0W2eqK6
7Xm8bol1sXH7XdgE7UAxwzKvmN16rJsUYH0AvoiL/kESu3WBpODbsUHO2+OkRcp9
+R7FNC3KxhblDqrWpAMBWwof1W1+D4ArFeE/SyA22Lgk6ZwUGz4SK5dU7By8Htwc
mNGjAIKGo7X6Upvuu8Fxd4hPPLeF+CEXzXBqAouvFq2mOAdIbRqdMw4/AQZkUZSH
q3h2zqwZXsx3Nbj+u2WyJVzxwdvBRiOmL1AXVJIhGehklwR4qm++TG8xX6TJuJ1G
krXTpstQhx5fXY3G0ZRdZJVm4bBX9t1+rers1TVymdVz2AIS35qF937Q1JyilvWh
x6gvhDBzBR/7NFyB1+c+hAVj2jRkwhHByiccV5EIpj0nHaDhD+gaSX99GPyXxG5C
Wk2s43NCXbGLJ6DqeIb8YFTGzaRE/K8BFNi3ScYg74kZxIvwUGntNq0/jQbSv5r5
LgAoxeabjno=
=81H+
-----END PGP SIGNATURE-----