Shibboleth Identity Provider Security Advisory [18 September 2019]

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth Identity Provider Security Advisory [18 September 2019]

Cantor, Scott E.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Shibboleth Identity Provider Security Advisory [18 September 2019]

Improper exposure of pairwise identifiers to relying parties
============================================================

The Shibboleth Identity Provider supports the concept of "pairwise"
identifiers that vary in value based on the identity of the relying
party for a request. These are chiefly supported as values of SAML
2.0 NameIDs with a Format of
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

The software implements policy controls intended to prevent a relying
party from requesting a pairwise identifier in the namespace of a
party other than itself or one for which it is authorized.

A SAML AuthnRequest with certain content, combined with non-default
settings or SAML metadata explicitly resulting in a response including
a "persistent" NameID, can bypass the intended controls and disclose
a pairwise value meant for a different relying party.

This is a privacy exposure that can allow unintended correlation of
user activity.


Affected Versions
=================
Versions of the Identity Provider between V3.0.0 and V3.4.4

Recommendations
===============
Upgrade to Identity Provider V3.4.5 or later.

A mitigating control is to review the relying parties for which the
Identity Provider will apriori return a NameID with the "persistent"
Format. This generally involves reviewing or limiting any sources of
metadata containing a corresponding <md:NameIDFormat> element, or
configurations in the relying-party.xml file containing the
nameIDFormatPrecedence setting.

References
==========
URL for this Security Advisory
http://shibboleth.net/community/advisories/secadv_20190918.txt


Credits
=======
Takeshi Nishimura, GakuNin / National Institute of Informatics

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAl2BoPoACgkQN4uEVAIn
eWL16xAAxDxnHopZcjvyzKIKpOWcB2Ed4VNlaPnH8muTY7sIStvz8KL0OVpv1BqA
5NjbLhd11m66P7nZZpXFD3jyqtkuxspFrYcjM5Nz3/WTxSHMW55aeJcN9hbGQCIX
HtWKCrNaWY5BYqvNHHLGAopDlD26OysfQ0oF3WlrBadWqmk4Vco+1CIPdoTnKVTq
BC4LmyPbx1wvXN1WlQpAyhlK2PPyAYzMkDYCRrXP2JGjYWo3GCZ6PbrAKxuQHbFi
NI7bAr8QrCJw79iYaC4PK2wZ9zbZWK0vEY9CugXpAUHbH41y9ZhXf3K1zxnRc6MB
pffuiWjUpGDfAKt7/hpS6JYSNo6TDyQA+9TqP/XcIB8TeGyAt68Ql+jTGMlQFFhD
lVI14YTcwal+mO4CXwCzKyykR5az6TY3newPfgYtOVYCYHd/o7zZ13BO4LMqrfn1
rW0DwbP2mkKwEOKCB333mvUazx4w4emlVFdGxDMM5zozWz1CT0sdzq7WxmOlzlw/
Gv+rwNHnQUS+ZJ9YhleJHnIFPOk6vHyD5n6BJQmcSVVp+tJbuJhjG7ttEN1DeGbr
NxGle+JF+hs4kme7tMn0C/ed2iLgE+pERckJHH5q2bdTocK4Bm/SpgNfCamJzeUT
DmTg5DHaVxVSE8uwHisW+mgihAgJIKFtwrumFYEr6Gktc4sfuqE=
=lyga
-----END PGP SIGNATURE-----

--
To unsubscribe from this list send an email to [hidden email]