Shibboleth Identity Provider Security Advisory [19 December 2018]

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth Identity Provider Security Advisory [19 December 2018]

Cantor, Scott E.
 -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Identity Provider Security Advisory [19 December 2018]

Shibboleth IdP Vulnerable to Untrusted Relying Party Access Via CAS Proxy
=========================================================================
The CAS protocol specification [1] strictly defines the conditions under which
a relying party is granted the privilege to proxy:

1. Proxy callback endpoint must present a trusted X.509 certificate over HTTPS.
2. HTTP response code must be 200.

The Shibboleth IdP uses an application-specific facility, a Trust Engine, to
configure trusted certificates. A software bug, however, causes the Java system
trust store to be consulted as a fallback when a certificate fails the Trust
Engine validation process. Since the default system trust store contains common
commercial CAs, the consequence for most deployers is that the scope of trusted
certificates is far broader than intended. The increase in trusted certificate
scope risks granting an untrusted relying party the privilege to proxy.

Affected Versions
=================
All 3.x versions of the IdP software prior to V3.4.2 are affected.

Mitigating Factors
==================
There are a couple notable requirements that must be met in order to exploit
the vulnerability:

1. A malicious service is authorized to proxy in the CAS service registry.
2. An authenticated user visits a malicious service such that it receives
   a proxy-granting ticket.

The first point depends on the kinds of expressions commonly used to register
CAS service endpoints. While regular expression wildcards are commonplace,
they tend to be scoped within organizational DNS boundaries. Further, the
wildcards tend to be in the path part of URLs.

Recommendations
===============
The Shibboleth Project recommends upgrading to Shibboleth IdP V3.4.2,
which contains a fix for the CAS proxy vulnerability. For deployers
upgrading from versions prior to 3.4.0, please consult the documentation [2]
to port your CAS proxy trust configuration.

If upgrading is not possible, the IdP should be configured to use a minimized
system trust store containing the smallest set of trusted certificates required
for proper function. Please consult the documentation [3] for detailed
instructions.

References
==========
[1] https://bit.ly/2UBrMV8
[2] https://wiki.shibboleth.net/confluence/x/oIEYAw
[3] https://wiki.shibboleth.net/confluence/x/HwE1Aw

Credits
=======
Paul B. Henson, Cal Poly Pomona
Marvin S Addison, Virginia Tech

URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20181219.txt

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlwaVRgACgkQN4uEVAIn
eWJrLhAAjpudEAYh66T9OzF1cTnGYr3+Hf83taQyj+aH/ifri74v5KpI+LYXsbdA
wkhFWykSzm7Y6XoBoyxcVbuT0Qzk1BNzFKBwETofybN0SYGrdVcT4ZsQDvc2ofsN
/7n+gwpE+He6w5kWA3fOsvqqKGwab3dbS2qyjvdA2VNY9NpPrd5nFfbDReB1E7in
I+pjkKALikbgjTJTW75VQbMVSm2ti020WB5abkIh0/1j4vHdDUuv4Iqc3+dad4xD
VQkZYoJ0uQ517xo0dRMDY+66ah4B1e5Vw8WnGDL+o6EdhnGjSuRNYPtt2KdchhY6
1rYVJQNfvcq4D90wqzlc7pD1BLYFZa7fN4Sc0u/UhgPQ5OQg+phpqnQ1iDlKvJSp
t/IGnikRZq1WkJ+mvyoF3duhr/nncqJ9owjKHrhi+FQ+twVBWRTt8cpLZdceUW96
gqMKgQOFEe2PpsrDFih2ibywkPTMu65IKK8nhHuF/uXO5ZQ76wJweALKCDbOk9gs
1ArTRvra6QvhlAL6zIY/uyqfXSWuA6i51h1uHv29dtpE9BTw5FEWLThVSr8dEeoV
wMYr8iRRopwxqjI1UQjpEroVfs2A7Lz/IeN91QZ6DEJcj7irMDPc1I+O6BS88kb4
3cwxPHtAb72fV15NCNOZXka9p3/rbJYiruUW8BkiZuflvGvoqUY=
=EgBj
-----END PGP SIGNATURE-----

--
To unsubscribe from this list send an email to [hidden email]