Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2921 Shibboleth Service Provider Security Advisory [15 November 2017] 16 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Shibboleth Service Provider Publisher: shibboleth Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Reduced Security -- Existing Account Resolution: Patch/Upgrade Original Bulletin: https://shibboleth.net/community/advisories/secadv_20171115.txt - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [15 November 2017] An updated version of the Shibboleth Service Provider software is available which corrects a critical security issue in the "Dynamic" metadata provider plugin. Deployers making use of the affected feature should apply the relevant update at the soonest possible moment. Dynamic MetadataProvider fails to install security filters ============================================================ The Shibboleth Service Provider software includes a MetadataProvider plugin with the plugin type "Dynamic" to obtain metadata on demand from a query server, in place of the more typical mode of downloading aggregates separately containing all of the metadata to load. All the plugin types rely on MetadataFilter plugins to perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments. Due to a coding error, the "Dynamic" plugin fails to configure itself with the filters provided to it and thus omits whatever checks they are intended to perform, which will typically leave deployments vulnerable to active attacks involving the substitution of metadata if the network path to the query service is compromised. Affected Systems ================== All versions of the Service Provider software prior to V2.6.1 contain this vulnerability. There are no known mitigations to prevent this attack apart from applying this update. Deployers should take immediate steps, and may wish to disable the use of this feature until the upgrade is done. Service Provider Deployer Recommendations =========================================== Upgrade to V2.6.1 or later of the Service Provider and restart the shibd service/daemon. Sites relying on official RPM packages or Macports can update via the yum and port commands respectively. For those using platforms unsupported by the project team directly, refer to your vendor or package source directly for information on obtaining the fixed version. If the update from your vendor lags, you may consider building from source for your own use as an interim step. The patch commit that corrects this issue can be found at [1]. Additional Recommendations for Federation Operators ===================================================== Operators of metadata query services in support of this feature may wish to consider implementing security checks after a suitable upgrade window has elapsed to prevent use of affected versions or follow up with deployers. The User Agent string in requests to the service will contain the version of the software. Note Regarding OpenSAML Library ================================= An identical issue exists in the DynamicMetadataProvider class in the OpenSAML-C library in all versions prior to V2.6.1. Applications making direct use of this library must be independently updated to correct this vulnerability, but this fix does not correct the issue with respect to the use of the Shibboleth SP. The patch commit that corrects the OpenSAML issue can be found at [2]. Credits ========= Rod Widdowson, Steading System Software LLP [1] https://git.shibboleth.net/view/?p=cpp-sp.git;a=commit; h=b66cceb0e992c351ad5e2c665229ede82f261b16 [2] https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit; h=6182b0acf2df670e75423c2ed7afe6950ef11c9d URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20171115.txt - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAloMn08ACgkQN4uEVAIn eWJlARAAtBF3WZo+9ttkC3asKl3/KTon9/z72kd01t9uCxLgexh+2BFAa6nFLLem HlFQztcdvcZqcX3AbCZkFsXjsWOqtDv2HCewwEFKxex6UHf1NM+WI883y3Nfv8bH Fnxu8Ao8iC67W1bdZXfVeqXwGr8YOy0sTyG0R33bsoGyiYUTAc0FXjIn2ROn4lMV vkz0XwcQER7xCah9ow4h7dSkO3ERJfMQBD4ekaSBdpZnVaYGuBN6JSBJtlyK7Tel aDKOYaeJZ9yAOL+wFBVGu6/xTIAfWLCj0ks9K9YI6fX2YhSshy6aazxzuURtTHiH hBOi4kRX9lKMaIz1b9aKb0p1X4uePcdWsP6UaOgaFimgxpUSgUlz9SiKdaG58sKq xmZsnFGgkssCqm1Cdr2EGxU6VJ+uBqzmW0bCD7grdSeuqY+N9o1xDT4pdRWueTmD RSYUn8uA+lAN2mgy5Fnj4Ys0NSPjCpoWXyevHhm+7xwuIXrFM77B5q4QudQh2rhL ryrudPHI+fyxSJuin9bTd7SncLHSa1eu06adfVEtuYJC8KRb/tokVeUbsFsKR/AI eedmRE2RdonXn4XiuBtdO8pLj6lkLtA2ir68fEtVD2Hyxj1ht9PPjuHWVQzlBBSB GXa1yhfOxn2/cNd8DLFpML2v2dGkok8ekjuyfYgIbdQ6othn4SM= =BZgC - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWg0XcIx+lLeg9Ub1AQgYGBAAjDU3SLIyRMilbYxL1sEoDrGjK3T4TEsl 3vP7VZjEPgfDi/G7ghEwyOg22lXCE3iz+VPD0HYBnwDyrnp7Nz8HjB2BuyR9Fj+B MDRJuK2UI/P1+iBCoIbgsBiXKB2vKp22YMqW6ZhcQ7FTyA2SRmyAJGswJxWJwrrs uFe7e7TfRnWJLiEiWJ8qoYHHVZATCkEDdsFizPQMbk6Gs55slJooS97XoWKrtkZK duz+73FIl0ReXSOim10Mm9007MekmxJqktaWLHKzSMEVa+nV7flj4XmH6f3GZ0KE oo5+leey837dN8YWgom5F3zooeexv25W2d29e076iXHb7X4lkyN6tt9QX8tvfhFs jNeL/S0HUuarlGcQDrVIgqSbOHvQf3jEDPcKLVAOBKLXL0WR+xGJ8RImqFpZJ+Dv Yla5GcYnnsEumKJPhyfQsorW9YPjliaU71UgIOKoTHm+qpTJ7ox3tDD3WKrASh8h aoIvq1ksNnjNQaJVFbrEwYDAa8lGnroIwX1/zXMqAoDJL2+6eD2rT/hsWI2fg8gE 8IhtqORSl1PGLVQvVcxc/Bloeig5O2PClmONPTTxmTEVwun10uNWTLqRFWi/JTJL gVpzFaQUWJNTk2nd7e2LJA83lC535wFmb5ohc44GUKzol/lR2ezIpoVSHL/TruWY C1M4j/76umk= =CwJX -----END PGP SIGNATURE-----