Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

      Shibboleth Service Provider Security Advisory [2 December 2013]
                              3 December 2013


        AusCERT Security Bulletin Summary

Product:           Shibboleth Service Provide
Publisher:         Shibboleth
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Reduced Security -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-4545  

Reference:         ESB-2013.1653.2

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA512

Shibboleth Service Provider Security Advisory [2 December 2013]

An updated version of the Curl HTTP client library is available
which corrects a TLS processing mistake introduced in older versions
of the library. Versions of Curl between 7.18.0 and 7.32.0 are affected
by this issue, corrected in 7.33.0.

Refer to the Recommendations section below for specific guidance on
how particular platforms are affected.

Curl library skips TLS server certificate name checking
A bug was introduced several years ago into Curl that caused the
library to, under specialized conditions, ignore the setting that
instructs it to enforce checking of the content of a server's TLS
certificate against the name of the server being contacted.
The Shibboleth SP operates in conditions that trigger this bug.

In most commonly deployed scenarios, this vulnerability does not
have major security implications for deployers. Shibboleth is usually
deployed by embedding specific public key certificates into SAML
metadata for the endpoints with which the SP will communicate with
an IdP. In this case, the name check is superfluous because the key
itself can't be faked.

In a small minority of scenarios, deployers may be relying on indirect
trust evaluation of a server's certificate by embedding the name of a
key into the metadata and specifying Certificate Authority roots of
trust in a Shibboleth-defined extension[1]. In rarer cases, a server
certificate may be part of a chain of trust used to verify remote
sources of metadata; this is not advisable, but is sometimes done in
the absence of a signature over the metadata.

In these rare cases, this issue becomes a critical vulnerablity. If
you are in doubt of your own deployment characteristics, you should
ask for help from the community.

The vulnerability in Curl has been published as CVE-2013-4545.

One additional note: another change made to Curl during the intervening
versions was to implement a more strict form of name checking in which
the presence of a subjectAltName extension in a certificate precludes
the use of the "CN" portion of the subject DN from the check. This can
cause issues with some certificates if the subjectAltName extension is
used to supplement rather than fully replace the use of the CN. The
certificates generated by the Shibboleth software do not have this
problem, but others may. This behavior change is intrinsic to Curl
and is not possible to undo.

Ensure that V7.33.0 or later of the Curl library is used and make sure
server certificates used for TLS do not carry incomplete subjectAltName

Where possible, avoid any use of the PKIX trust model at any level and
for any use. It's likely that this trust plugin will be turned off by
default in a future major upgrade because of issues like this one.

Platforms on which Curl is an OS-supplied component, such as most
versions of Linux, will need to ensure their vendor has supplied
an updated package to correct the issue, or (as in the case of Red
Hat 5) provide a version so old that it predates the bug's introduction.

On the Red Hat / CentOS 6 platforms, the Shibboleth Project provides our
own custom build of the libcurl shared library, and the RPM package for
this library has already been updated and published. The version supplied
with the OS is not usable with Shibboleth anyway.

For Windows installations, an updated installer[2] for V2.5.3 of the SP
software has been released that includes the fix.

Updating the SP to V2.5.3 in and of itself is not a fix for this issue.
The updated version has been expedited primarily to facilitate updates
of the libcurl version for Windows installations. Of course, this update
includes additional bug fixes that may be relevant to deployers and
you can review the list of fixes[3].

Thanks to Scott Koranda of LIGO for reporting the issue to the project,
and thank you to Daniel Stenberg of the Curl project for providing
prompt feedback on the scope of the issue.

URL for this Security Advisory:

URL for the vulnerability:

[1] https://wiki.shibboleth.net/confluence/display/SHIB2/PKIXTrustEngine
[2] http://shibboleth.net/downloads/service-provider/latest/
[3] https://wiki.shibboleth.net/confluence/display/DEV/SPRoadmap

Version: GnuPG v1.4.14 (Darwin)


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967