Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1634 Shibboleth Identity Provider and OpenSAML-J HTTPS and LDAPS Connections Do Not Perform Proper Hostname Verification 22 September 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Shibboleth Identity Provider Publisher: Shibboleth Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-3607 CVE-2014-3604 CVE-2014-3603 CVE-2014-2604 Reference: ESB-2014.0770 Original Bulletin: http://shibboleth.net/community/advisories/secadv_20140919.txt - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Identity Provider Security Advisory [19 September 2014] Shibboleth Identity Provider and OpenSAML-J HTTPS and LDAPS Connections Do Not Perform Proper Hostname Verification ======================================================================= OpenSAML-J and the Shibboleth IdP contain various components which make connections to HTTP and LDAP servers, including HTTP configuration resources, HTTP-based metadata providers, and LDAP authentication and data connectors. When used with an HTTPS or LDAPS scheme, these components are susceptible to a 'Man in the Middle Attack' due to a flaw in the hostname verification used with SSL/TLS if a specially-crafted server-side certificate is used. The lack of proper hostname verification means that while the connection between the client and HTTPS/LDAPS server is encrypted, the client may not have correctly verified that it is actually communicating with the intended HTTPS or LDAPS server. For technical details about the nature of the vulnerability, see the relevant CVEs listed below. This issue is a follow-on to an earlier Shibboleth advisory issued on August 13, and assigned CVE-2014-3603. The fix made at that time is related to, but separate from this vulnerability, which was discovered just after that patch was released. The scope of this problem has now expanded beyond just use of the HttpResource and FileBackedHttpResource features of the IdP to also include LDAP connectivity via LDAPS for both authentication and attribute resolution. It also affects all HTTP-based meadata providers, although we have always strongly recommended the use of signature checking when consuming metadata, which mitigates that issue. Finally, please note that the Shibboleth Project has addressed the not-yet-commons-ssl vulnerability in CVE-2014-2604 with a different fix that does not involve updating the library version used. This is due to incompatible changes made to that library that make the newer version unusable by the project without further modifications. Affected Versions ================= Versions of OpenSAML Java < 2.6.3 Versions of the Identity Provider < 2.4.2 Recommendations =============== IdP users: Upgrade to IdP 2.4.2 or greater. OpenSAML users: Upgrade to OpenSAML Java 2.6.3 or greater. References ========== CVE-2014-3604 Not Yet Commons SSL: Hostname verification susceptible to MITM attack CVE-2014-3607 vtldap/ldaptive: Hostname verification susceptible to MITM attack URL for this Security Advisory http://shibboleth.net/community/advisories/secadv_20140919.txt - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJUG34ZAAoJEDeLhFQCJ3liVewP/A90qic6+vAyn9JqNaP+3eSB qUhOOlpdHOOZ8ZQAS1fv8d+pVCuguBS74wGYU6pAgqvcD3cTfMyNngaruKI7iIhP aWzi0Yu+Ijya7XDYDPGwtATlaInxm5gzmau0N3/rgVs9yQ1yHXET34jeB0CWtUJL mNKyx5pnysq0DpXHHElHpe+3ySODsktKaivIVCwVqqywaHPMwo8inlt0Dymr1msl okRzbqHdrxh2RRueGdagfsQ0L8rxnbTCcCjbVfprUDKnwtfXUISiYTk+SdDFrrS6 nLuTEsoADBVKtwvaKp1+5tRJevgA6LfKdrtPoTGHdVZx/I2lWDWjdek39vkKq+Gm izX4h5POlUD7zMedR3icV4hFbZnDoCHfmKfLE/b+IK4vhjPuKe9xbwyLyPMTLDO0 7oGIUnhV0Wsj31CvZf8ueks5xtcwwEN5jvt53vqsadNxbyv6PHzI/Eoh/oQ8mN3r 9EnS1WFbZekGGortO5vJXQPaK82w82nnv6vn8ifJewi35MSmt+IFgvbYmYl75noP +vJNJt/Fn6Ugp8OEsF3UkXpIkQtNFBUgCj9HkCn4Q1qGTaPfGqFZzwiMTsSbOqED fBn2ihAMgBe8n+U6jJ2XVATHsK+LVPj8Qq41e3C2TVBDb8nM7BVAYY6dqba18vE6 UVgS5L+8pKxYoXuZCJ1Y =0XeM - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVB9z5hLndAQH1ShLAQL1tBAAnIntCIGKIxW/mP+oeBYzVF430+9fPwrB zREjZv1dePKtUlQll94wmIi8DZT7UyJI8StqGzI91kq8jgo4XWMZUFBpNAatOTbG ZJt1d9kNXVkKvYTVoPeOgwHhZprVrnPhhQ1TJy18aPD5aDkPoqiMT3fifuaIUxGe AN6O7LOEk9Dj3D1D8xb8JXeW/Jp8CnCDUwbKFggIyc08wNyqvX7B6ZeTgKOdmoap yOdZlJlKmgq5+aLMxdpeoh+LgEcmnNC+PWZSzo1eitPqlILA86nSGzQ/QsfRN4Nv g9c25WJggDbopPsdT+7+001PWXl9DVmT37hlO9PQVjEdhFPp1z4+k6K6bkuF/A4Z gBxvWZ1orAhhPPYRgqqjmzTckF68QmY6gryGAYz4zSgl3uUQk1Jxp5uCghkMqK5U gUIHjzW8W0sbcXb9mmW9cZR3gBoy6zC/Usq3mYqg2sFsUg6VG190UdWWlz1pqOOB iY+JELmP64SRJHe86+8Yqkz8IJc9emn03wQ+kg28HWh8A6VBaBwzqGx0PSMOjBiE kQHCJAPckBn8L1WIlfL2xF1EHBU6OCcTd+uNNMfDRLK0mQV0TkuvP1jKOKeyKTEh sLId7+jOwollq2TszNvcNpnxvM/+cKK1yqDnNZ+yn2in+2YsrNmlAEf/vNK0f961 vt5x+UIcowE= =Nwx4 -----END PGP SIGNATURE-----