Shibboleth Service Provider Security Advisory [2018-01-12]

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view

Shibboleth Service Provider Security Advisory [2018-01-12]

Cantor, Scott E.
Hash: SHA512

Shibboleth Service Provider Security Advisory [12 January 2018]

An updated version of the Shibboleth Project's XMLTooling library is
available which corrects a critical security issue.

Shibboleth SP software vulnerable to forged user attribute data
The Service Provider software relies on a generic XML parser to process
SAML responses and there are limitations in older versions of the parser
that make it impossible to fully disable Document Type Definition (DTD)

Through addition/manipulation of a DTD, it's possible to make changes
to an XML document that do not break a digital signature but are
mishandled by the SP and its libraries. These manipulations can alter
the user data passed through to applications behind the SP and result
in impersonation attacks and exposure of protected information.

While the use of XML Encryption can serve as a mitigation for this bug,
it may still be possible to construct attacks in such cases, and the SP
does not provide a means to enforce its use.

An updated version of XMLTooling-C (V1.6.3) is available that works
around this specific bug.

While newer versions of the parser are configured by the SP into
disallowing the use of a DTD via an environment variable, this feature
is not present in the parser used on some supported platforms (notably
Red Hat and CentOS 7), so an additional fix is being provided now that
an actual DTD exploit has been identified.

While it is possible to determine whether one is already immune to this
bug, the installation of this patch is a simpler step, and strongly
encouraged. Notably, however "current" Windows installs of V2.6.0 and
later are *not* impacted by the bug, so this patch can be treated as lower
priority on that platform.

This vulnerability has been assigned CVE-2018-0486.

Upgrade to V1.6.3 or later of the XMLTooling-C library and restart the
affected processes (shibd, Apache, etc.)

Linux installations relying on official RPM packages can upgrade to
the latest package versions to obtain the fix.

The MacPort has also been updated.

Windows systems can upgrade to the latest Service Provider release
(V2.6.1.3) which contains the appropriately updated libraries. [1]

Philip Huppert, RedTeam Pentesting


URL for this Security Advisory:



To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view

RE: Shibboleth Service Provider Security Advisory [2018-01-12]

Cantor, Scott E.
As a follow up to this issue. I had no idea they were going to this, but the company that found the exploit decided to publish it with full details of exactly how to do it (and it's not hard). I asked them to remove it but they have so far refused.

I wanted people to know since it makes this a much more serious issue for those affected, which is principally Red Hat and CentOS 7 installs, plus some newer OpenSUSE versions, which isn't heavily used anymore. If people want to warn their communities that this exploit is now very public, that might be warranted.

-- Scott

To unsubscribe from this list send an email to [hidden email]