Shibboleth Identity Provider Security Advisory [15-March-2017]

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth Identity Provider Security Advisory [15-March-2017]

Cantor, Scott E.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Shibboleth Identity Provider Security Advisory [15 March 2017]

Design flaw can result in second-factor authentication bypass
=============================================================
A flaw in the authentication support in the Identity Provider software creates
opportunities for an attacker to manipulate a browser client to bypass steps
in the authentication sequence.

While there are no known exploits for the login features delivered with the
software (including the Duo Security support included with V3.3.0), the
possibility has not been ruled out. But, in practice the flaw primarily
affects third-party implementations of second-factor authentication services.

This flaw is only possible to exploit in scenarios in which the requested or
configured authentication requirements of a particular service are supplemented
by rules involving other aspects of a transaction, such as the identity of the
user. For example, requiring use of a second factor for specific users, while
allowing password authentication for other users, may be circumventable because
of this issue.

In contrast, when services request specific forms of authentication, or if the
IdP is configured to require specific forms of authentication, that requirement
is always enforced and the flaw cannot cause a result that does not satisfy
those requirements to be accepted.


Affected Versions
=================
Versions of the Identity Provider < 3.3.1


Recommendations
===============
All deployers should upgrade to V3.3.1 at the earliest opportunity.

The Release Notes [2] document describes an additional step that applies to a
very small number of deployers. The vast majority are not using this feature,
but anyone who has defined custom flow "events" in login, interceptor, or subject
canonicalization flows will need to do a bit of additional work, as described
there.

Any deployers relying on business rules of the sort described above in which
service requirements alone do not dictate the expected policy decision on how
authentication must be performed should consider deploying an "interceptor"
flow, possibly via the delivered "context-check" feature [3], to perform a final
check that the authenticated Subject meets the requirements of the intended
policy. An example of this has been added to the documentation. This greatly
reduces the possibility that future flaws in the software might lead to
unintended results. It is also a useful means of mitigating this issue in the
event that an upgrade to the fixed version cannot be performed promptly.

References
==========

URL for this Security Advisory
https://shibboleth.net/community/advisories/secadv_20170315.txt


Credits
=======
The University of Chicago
Unicon, Inc.


[1] https://wiki.shibboleth.net/confluence/display/IDP30/ReleaseNotes
[2] https://wiki.shibboleth.net/confluence/x/tABSAQ

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYyT0yAAoJEDeLhFQCJ3liJ+gP/0x8+X72J1YpHXVpKXpS/Xsp
vAdXm9OsqsBv5D53hvX8cflQxSPYzaF9qciSA2Pp8+tzq5DqGHS8nlWKroMJloQz
BLESz6DYtIdKN4slWfF6ogkmfckOEI2wBabPDTPNiM5+d3vDpKO6W1znQmTkc4/p
IenbFKXf5CAMwICHtndEo+lpCC5g9WQ+OnhFgTr3XXDyiomxqhzQuZjQKv1t3L+/
kfj6GqYpYcsVzwYCCJe4i8tp3vnUuYWD9FEj97LTOMHcDFzjWPD6t/5VXnoFf4WF
YoenvN8EC0j+UKeTSmD7qffCcUtYmSn18gPp2t5Tbm5/cq+31t7y4MXK/s4dj8I6
i8kCdpom8vCrsqBbepHBzt4gl93RIC+qio7HVL3Yvm5072io1HWpOebiG4W191ws
7+WjjdFhla3w+X6Grd1E2sGfLOcpLNHIokMP4nBv3ttgyXqcsNDvOGuvI3hNYrtq
iPWjbhw6K6V7oohaezYJRRsuWATOuqybs9o6S1avOZsCDG90ZP16nBw7FuFtxooi
2eSjUfWURx3I8mRUB0ianv1aURAqWjFBTy30HezsanAlVaQxCq5VI9A0atJ02I6q
7DVkNjJd8DW+ULKBb7ZKYwaK6l7Ft4Rjlr3cMDHutfGURv3NI/RRqFLz6Gh6Rprb
JWNhL8yjhnLNtP9uQGIn
=TQfF
-----END PGP SIGNATURE-----


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth Identity Provider Security Advisory [15-March-2017]

Cantor, Scott E.
Quick correction, the advisory on the website has had the misnumbered footnotes corrected.

-- Scott


--
To unsubscribe from this list send an email to [hidden email]