Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.1308 Shibboleth Identity Provider Security Advisory [18 May 2017] 22 May 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Shibboleth Identity Provider Publisher: Shibboleth Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Reduced Security -- Remote/Unauthenticated Resolution: Mitigation Original Bulletin: http://shibboleth.net/community/advisories/secadv_20170518.txt - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Shibboleth Identity Provider Security Advisory [18 May 2017] Default Kerberos configurations are unsafe ========================================== The Identity Provider software includes login support for the Java Kerberos implementation [1], as well as support for JAAS [2], which also supports the use of Kerberos. Both approaches require care in configuring your system, and the default behavior of Java includes behavior that may be unsafe in some scenarios, warranting this advisory to ensure deployers have taken the appropriate steps. Deployments that do not make use of one of these features, or which use the SPNEGO feature, are not impacted by this advisory. The issue of concern is the support for DNS to locate the KDC server(s) for a realm dynamically. Usually realm information is statically configured into a krb5.conf file, but Kerberos defines a mechanism for the use of DNS SRV records to locate servers. When enabled, a request for a TGT for a principal name containing a realm (e.g., name@REALM.ORG) can cause a Kerberos implementation to look for the KDC using DNS and automatically use the result. This may allow an attacker to successfully supply an unexpected username and password to an IdP and, subject to additional assumptions, could result in assertions being issued containing unexpected and/or attacker- influenced data. The full impact depends on how your login configuration supplies usernames to the rest of the system, and how your attribute resolution logic is constructed, but it would be very possible for such an unexpected username to cause havoc or lead to security vulnerabilities. A "correctly" configured system is not vulnerable, and this issue is not a bug or flaw in the Shibboleth software. But the primary setting controlling this behavior in Kerberos, the dns_lookup_kdc flag, defaults to "true" in Java versions 7 and above (it defaulted to "false" prior). There are a number of mitigations for this behavior, discussed further below. Affected Versions ================= All Recommendations =============== Above all else, be aware of your Kerberos configuration and how it's meant to behave. In most cases, you should ensure that the [libdefaults] section of krb5.conf contains the setting "dns_lookup_kdc = false" unless you intend for DNS lookup to be used. In all cases, but certainly if this feature is enabled, it is strongly advisable to configure the IdP software to verify the KDC by supplying a service principal and keytab. Such a check guarantees that a realm other than one known to the IdP cannot be used, regardless of whether it can be located or not. Another mitigation is the use of a transformation rule to prevent the IdP from processing usernames that contain a realm. For example, something like the following in password-authn-config.xml: <util:list id="shibboleth.authn.Password.Transforms"> <bean parent="shibboleth.Pair" p:first="^([^@]+)(@.*)?$" p:second="$1" /> </util:list> Note well: Oracle's Kerberos JAAS module does NOT support KDC verification by itself when used in server-side environments. Combined with their decision to enable DNS by default, it is an unsafe approach out of the box. Thus, if you make use of the IdP's JAAS support and not the direct Kerberos support, you MUST be sure to rely on one of the suggestions in this advisory. References ========== URL for this Security Advisory http://shibboleth.net/community/advisories/secadv_20170518.txt Credits ======= Ian Bobbitt, Indiana University's GlobalNOC [1] https://wiki.shibboleth.net/confluence/x/f4EEAQ [2] https://wiki.shibboleth.net/confluence/x/d4EEAQ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJZHbj+AAoJEDeLhFQCJ3li9swP/1otAq9nkKcnGQpUxE4+cODd UOb4e7oTf5q2h/lP7EjWryxSb5bb7HRFyklDkEi2VgzEpjTiVn5g5Zv2NDL6Ua9O sMQBVb5Png4hVCQ67oSzLWVxwTMu317U5DqK/YR8TjUjPGOo772/4Pjp/4u8Zb0k XIq3L8yKxX7ze1M+BB2dTvNW6KIYVHQ++BV9KKyvK5Q5dPP9zHmS0dCTF9fJ7CAk bGqIYSEPYZdPKAjZzX4b/bT3kzUO2mEwXMTavoJICZU9OukYiq/+dpA9+8/lSKoF ki7SsiCDrwRyurhJLdIxjNtMxWiplx+6HU0cc7K/GY8d5S+DBt77GV8JTkw3SLUS 5QS2lKCMAWDRBTpcQzDYB5RzejJAa0JMHsSbdDll4iuQLNdFyVVtSNqD6LWk6ttB jDx+Ysinte2CZLLAQHjnvsenONCpz+/16NZ/61sfNOYo4vkL0oCBO67Ymyj/GvDh zxKdqNe3PccPVcPRILBT6at4U2ky1LKLILVCDZpdJoPDiPXMr30rzTHBjQVJW7w0 vO2D3RhOG7mtN4GLs2uRQsMod898U0JMZ0sTicDdGKgUK885ufu4n1q/hts/Nurq 51flKgN/r/wJwj+STHk5L+e3K56rEn0x0Ac7WffjL0ygZWTO9rOYf8oLT4UrBPtW PO4p0uw+UaKVHT5PNwrI =CltR - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWSI80Yx+lLeg9Ub1AQhxUA/8CX3T5IaamjdB1JzX8CLes+w0qdWRgoQF /zzIFVgwSol1zwV+kvtyMJ4ZiGLQ2zDt9jSQzPzzfzFGyEmWnb2PQrYf3xsegOTg BkzypkogDyc9CFUrd3OZDkAftHdqVZ2Or71OZksOHytf1tAZH9lsHBf8KF/pqv+W L52UqGfeRrXwQNMEV0sltsQsn4JoASL8RvD817fQ4bzlx/d2I+rSnMfEfXVPSaox /uQRuwiVZq4yjGUQGSh0Aeh44+hD5wnOecWelVwlPN/oXyQNwpOL7Zj+bEuCUIX+ 6kWpJGRymXwmV3pkmpZrYXLZoXijb8Q6s/J6J0IKnLDFVsSPm/fcZUsC90f+JOzU lL8XvtV8M+N0roSi1xBYydXHfi4wfAuwH1XhnaUXKaFYkHKMLcDnKsLvRueYfC14 qs+rcS9MCm2OL/SRUkmEUKZH6Pr9UeR0N6Pti1LTUFZkPz/R2+vONhz0gL5KuakQ vtVasuuPlXNRUUHsVIlgdpGBloq3vRiuS95ab4bWru5oTyE/hnmXxqueCi2XNl+O 5uBvhLfkTGm9d3HfU4qSLXiUeAGWZVzNLiFo5wYe5zOhCtNTqI0m91N3uRFrxGQI IKOlM2eqwFfCGJxFNRhu0Hcq2bQPq6bkHL1W1uYy0l07OkjFu6O3J39frxIayS28 862M0ocZqZE= =mAZ7 -----END PGP SIGNATURE-----