Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1095 Shibboleth Service Provider Security Advisory [4 May 2016] 5 May 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Shibboleth Service Provider Publisher: Shibboleth Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Mitigation Original Bulletin: https://shibboleth.net/secadv/secadv_20160504.txt - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Shibboleth Service Provider Security Advisory [4 May 2016] This issue is rated as "critical", and allows an unauthenticated remote attacker to access protected resources, but it affects only a subset of deployers. Deployers that do _not_ make use of the <PathRegex> feature are _not_ impacted. All versions of the Shibboleth SP available are vulnerable to the issue, and deployers should take immediate steps as outlined in this advisory. Shibboleth SP software <PathRegex> feature implemented incorrectly ======================================================================= The Service Provider software includes a feature to specify protection rules and other settings based on evaluating a regular expression against a portion of the requested URL path. It is used by including a <PathRegex> element in the <RequestMap> construct, typically in the shibboleth2.xml configuration file, and is documented in [1]. This element supports a property named ignoreCase that was meant to default to "true", and would allow for a regular expression to match in a case-insensitive manner (e.g. the path "Foo" would match "foo"). Unfortunately, the property was mistakenly implemented in reverse, and the "true" value was implemented to cause the matching to be case-sensitive. Setting the value to "false" at present results in the intended behavior, while appearing to specify the opposite. While patching this is extremely simple, creating a situation in which the setting would have the opposite meaning in different versions, and even worse would change its meaning after a patch, was not deemed to be acceptable, and so an alternative plan was developed: 1. Disclose the issue and advise deployers using this feature to change the setting to fix their configurations for the time being. 2. Create a new setting in a small feature update (V2.6.0), likely called "caseSensitive", that would replace use of the original setting. At that point, the ignoreCase setting would be formally deprecated and a warning logged when detected. There are no known mitigations to prevent this issue apart from applying this workaround. Recommendations =============== Check your shibboleth2.xml configuration for the <PathRegex> element. If used, check for the ignoreCase attribute in the element. If found, reverse the value (true to false, false to true). If not found, add ignoreCase="false" to the element. Restarting the web server will not be required to effect the change. It is advisable that you create an XML comment near this change to denote the purpose and the confusing value and to revisit it once the new setting is made available to correct the issue. Note that if following best practices, only IIS and FastCGI deployments would be affected by this issue. Use of Apache commands to supply rules is strongly advised over use of the RequestMap feature, and deployers following that advice are not impacted by this issue. Those using the RequestMap with Apache may wish to revisit that approach, particularly if they are impacted by this issue. Credits ======= Scott Koranda, Spherical Cow Group [1] https://wiki.shibboleth.net/confluence/x/RYBC URL for this Security Advisory: https://shibboleth.net/secadv/secadv_20160504.txt - -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXKgefAAoJEDeLhFQCJ3lirfcQAI2LNdhGK81+db7b1nsvWMtl 2h8UnY0LeApEw3lHKoU/+Nl5v3ruK+PY+RvTweKDyg8xnqukP2obCdsRoiOsYqtH 7AzcHbP9cVTbOZ9ILblZpp7XNJS+rGYzgPRcWbeUiMPLYShWNEBeVbdXuWiVjmPH w9HaPzR2ZpXtwopq0JqLwAGv5M68pjXEzuErkvWbaTHB/CuGaBy8YZbdaCsqpox0 GQ83yL8mTzmVzcIk2SU68J/oj8Xan6uS7rsBfmmpZhScijj9pZbNJpIu/PfpG3cG 2/MOfPTQA18W/xPtfjUBkTVP3PeFYcf3ahVMe0weU3tDGXVzOd60cp75b9TF4z/i lSRsUB2lbyh9Vdrzz3O+iSh/FhDhris6HYw4F2cZArp3tRSX68amjtmy7ugDC0lE prKRNjakJsfwNThCqYINhwRxoDOXyOqugEgU0LUYPIG1/sroWLCmW0DVMF13uVXx cfcqQbq4W0qyYoQ7MAiGtn74Bc5++duu8Cp/3YNV2ywm/31wAYlfrHuHuxfc88Ik Fs1R+WcH8nTi4jpir2OMBdFeIUolv6r9KctlnulipAth+BFZQV/1ZNNElAaGsgAe FodsUr7uDu1tFxRhllM8/yc6f1PtqXAflnYAMHoAESn3rugH1HTQ4MlluetrP0+M 2YAT7sTmTJhRQhnnMo4O =ZyOp - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVyqp1H6ZAP0PgtI9AQJLkxAArR9JN9A5RUUq5tDkGmhXgycIEFpU6BjM Mh/MsP68i4+CWWMvfaeS7lT9y7FTKBVxWRUqvsn5ydGx2pK+OztfXodjdlNxia06 1/X9ZQ/RLU+tsOLiV59JWgLR6mNqwOt3fQfOUUg8Yh/IWTNkyy9uusdkv9jJ2tyz 5kxDoZwPC9spn3k6M6uO0ZfH9xiFaIf1sOdM/SJV6FWrFVAcmqEOes43ldg+IcDb gfp7N2deMHeCxgcC37qfzEc/5X6UY20JJCc91cxZRjw1YGWb/EpyxZ8x0GgmV+iV EFCMvxe2mkVcDnkPQnsyfJjaPtsmSkDwV8svCCggtQtC/JQSQDjY7Cf9ebcogzA8 jfCIfj4vnYYbR2zfcwSjP5YyTBgSv1j6ujbzOet1zhEYuhNRsZSwnHWXfTywYDLO g+kreyAHWNdU6s8PQt18JoP9qYpQY+u31je1eHHEJHLHEFAmLBdGZKspsuEmvZO8 ANWfbZQ08bIu5rv+T+csC5WBxpqW6T65ek+aOqBnyMhaZ+MqzvmmmLzr2Qoa87I2 0NAfxWQLr0sa5yEW9XTcKjWcH0VbrGwO99c0ZSwiRBXN475E7y5+t2HhHYd0nHxY 1dylTfYAS65jbwEfWvCXTKi3u/KNKhVMQ99Drc87B9+bqEznjjQ6MXhc8tOQWzFw KhjBNUAVbOw= =gaB1 -----END PGP SIGNATURE-----