Operating System:

[WIN][UNIX/Linux]

Published:

22 September 2014

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ESB-2014.1634 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1634
Shibboleth Identity Provider and OpenSAML-J HTTPS and LDAPS Connections Do
                 Not Perform Proper Hostname Verification
                             22 September 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Shibboleth Identity Provider
Publisher:         Shibboleth
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Provide Misleading Information -- Remote with User Interaction
                   Unauthorised Access            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3607 CVE-2014-3604 CVE-2014-3603
                   CVE-2014-2604  

Reference:         ESB-2014.0770

Original Bulletin: 
   http://shibboleth.net/community/advisories/secadv_20140919.txt

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Identity Provider Security Advisory [19 September 2014]

Shibboleth Identity Provider and OpenSAML-J HTTPS and LDAPS Connections
Do Not Perform Proper Hostname Verification
=======================================================================

OpenSAML-J and the Shibboleth IdP contain various components which make
connections to HTTP and LDAP servers, including HTTP configuration
resources, HTTP-based metadata providers, and LDAP authentication and
data connectors.

When used with an HTTPS or LDAPS scheme, these components are
susceptible to a 'Man in the Middle Attack' due to a flaw in the
hostname  verification used with SSL/TLS if a specially-crafted
server-side certificate is used. The lack of proper hostname
verification means that while the connection between the client
and HTTPS/LDAPS server is encrypted, the client may not have correctly
verified that it is actually communicating with the intended HTTPS or
LDAPS server.

For technical details about the nature of the vulnerability, see the
relevant CVEs listed below.

This issue is a follow-on to an earlier Shibboleth advisory issued on
August 13, and assigned CVE-2014-3603. The fix made at that time is
related to, but separate from this vulnerability, which was discovered
just after that patch was released.

The scope of this problem has now expanded beyond just use of the
HttpResource and FileBackedHttpResource features of the IdP to also
include LDAP connectivity via LDAPS for both authentication and
attribute resolution. It also affects all HTTP-based meadata providers,
although we have always strongly recommended the use of signature
checking when consuming metadata, which mitigates that issue.

Finally, please note that the Shibboleth Project has addressed the
not-yet-commons-ssl vulnerability in CVE-2014-2604 with a different
fix that does not involve updating the library version used. This is
due to incompatible changes made to that library that make the newer
version unusable by the project without further modifications.

Affected Versions
=================
Versions of OpenSAML Java < 2.6.3

Versions of the Identity Provider < 2.4.2


Recommendations
===============
IdP users: Upgrade to IdP 2.4.2 or greater.

OpenSAML users: Upgrade to OpenSAML Java 2.6.3 or greater.

References
==========
CVE-2014-3604
Not Yet Commons SSL: Hostname verification susceptible to MITM attack

CVE-2014-3607
vtldap/ldaptive: Hostname verification susceptible to MITM attack

URL for this Security Advisory
http://shibboleth.net/community/advisories/secadv_20140919.txt


- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUG34ZAAoJEDeLhFQCJ3liVewP/A90qic6+vAyn9JqNaP+3eSB
qUhOOlpdHOOZ8ZQAS1fv8d+pVCuguBS74wGYU6pAgqvcD3cTfMyNngaruKI7iIhP
aWzi0Yu+Ijya7XDYDPGwtATlaInxm5gzmau0N3/rgVs9yQ1yHXET34jeB0CWtUJL
mNKyx5pnysq0DpXHHElHpe+3ySODsktKaivIVCwVqqywaHPMwo8inlt0Dymr1msl
okRzbqHdrxh2RRueGdagfsQ0L8rxnbTCcCjbVfprUDKnwtfXUISiYTk+SdDFrrS6
nLuTEsoADBVKtwvaKp1+5tRJevgA6LfKdrtPoTGHdVZx/I2lWDWjdek39vkKq+Gm
izX4h5POlUD7zMedR3icV4hFbZnDoCHfmKfLE/b+IK4vhjPuKe9xbwyLyPMTLDO0
7oGIUnhV0Wsj31CvZf8ueks5xtcwwEN5jvt53vqsadNxbyv6PHzI/Eoh/oQ8mN3r
9EnS1WFbZekGGortO5vJXQPaK82w82nnv6vn8ifJewi35MSmt+IFgvbYmYl75noP
+vJNJt/Fn6Ugp8OEsF3UkXpIkQtNFBUgCj9HkCn4Q1qGTaPfGqFZzwiMTsSbOqED
fBn2ihAMgBe8n+U6jJ2XVATHsK+LVPj8Qq41e3C2TVBDb8nM7BVAYY6dqba18vE6
UVgS5L+8pKxYoXuZCJ1Y
=0XeM
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVB9z5hLndAQH1ShLAQL1tBAAnIntCIGKIxW/mP+oeBYzVF430+9fPwrB
zREjZv1dePKtUlQll94wmIi8DZT7UyJI8StqGzI91kq8jgo4XWMZUFBpNAatOTbG
ZJt1d9kNXVkKvYTVoPeOgwHhZprVrnPhhQ1TJy18aPD5aDkPoqiMT3fifuaIUxGe
AN6O7LOEk9Dj3D1D8xb8JXeW/Jp8CnCDUwbKFggIyc08wNyqvX7B6ZeTgKOdmoap
yOdZlJlKmgq5+aLMxdpeoh+LgEcmnNC+PWZSzo1eitPqlILA86nSGzQ/QsfRN4Nv
g9c25WJggDbopPsdT+7+001PWXl9DVmT37hlO9PQVjEdhFPp1z4+k6K6bkuF/A4Z
gBxvWZ1orAhhPPYRgqqjmzTckF68QmY6gryGAYz4zSgl3uUQk1Jxp5uCghkMqK5U
gUIHjzW8W0sbcXb9mmW9cZR3gBoy6zC/Usq3mYqg2sFsUg6VG190UdWWlz1pqOOB
iY+JELmP64SRJHe86+8Yqkz8IJc9emn03wQ+kg28HWh8A6VBaBwzqGx0PSMOjBiE
kQHCJAPckBn8L1WIlfL2xF1EHBU6OCcTd+uNNMfDRLK0mQV0TkuvP1jKOKeyKTEh
sLId7+jOwollq2TszNvcNpnxvM/+cKK1yqDnNZ+yn2in+2YsrNmlAEf/vNK0f961
vt5x+UIcowE=
=Nwx4
-----END PGP SIGNATURE-----