Shibboleth Service Provider Security Advisory [31 August 2020]

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth Service Provider Security Advisory [31 August 2020]

Cantor, Scott E.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Service Provider Security Advisory [31 August 2020]

An updated version of the "modern" module for Microsoft IIS V7+ is
available which corrects a denial of service vulnerability.

IIS module fails to trap exceptions raised by network socket failures
======================================================================
The modern IIS module contains a flaw that fails to catch and handle
exceptions that occur on a particular code path that results from
failed attempts to read data from the HTTP client socket.

This manifests as a crash in the IIS worker process along with a
fatal log mssage in the Windows event log.

Because it is possible experimentally to trigger this condition
remotely, it results in a potential denial of service condition
exploitable by a remote, unauthenticated attacker.

This issue is specific to the newer IIS module and does not impact
the older ISAPI filter/extension or the Apache modules or any other
SP integration variants.

Recommendations
===============
Update to V3.1.0.2 or later of the Windows installation package,
which is now available.

The fix is being distributed as a Windows service update (the fourth
digit) rather than a full patch since it is isolated to a DLL specific
to the Windows package.

Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
a2cfc1526b86d36d2afd921a1bf1029e79af4267

Credits
=======
Jos Groot Lipman from Aareon Nederland B.V.


URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20200831.txt

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAl9M6okACgkQN4uEVAIn
eWLzVw/+I9r4X2TwTk53OqSqTEPAf7HcbO8IRLmdHBTrAH7E8edXxycMa+gi7KpH
hRgWx3Bt16y+5O5lauwXzrH3HZawgaDoLP5tdfVyjiVo6+brD3C40l76BAGNWdR0
yYOKnuHJr72aQdchrWZ2cOZd6p2ImjC35tJl4armoV+gru28UpVZ/Pnvr/OkWfVh
no8hqGyPVu/fO4jlnNxqyK3tbXy1mM4xQiNwjL8NpkgfmYlcL5JBLIG78etX6HST
q6DVMS9pG7l2svcIZAPOF+ReDbRIuVZlEtq3Fth5PGZz8QP1SIu/Uv4Rn4xOBHu7
F1zDINFbAiga7ZJ61XsTT9IHzxhiDjqsTlYXzZOekqdHHpON15N++kfGAN0burHv
b8qHx2KIWCHHl70N4McNoyfu7/x4b2rRssK7L/ymY2g1B/xqHJlcK3ZWG/b7mZGX
jeCo8rnkxDNJ0SMBYVjnracZmHLWasJa2EkBi+DQurqYJFQdX30rSlhQnVTpicvc
AkNBr0uHUvSpUqjwvjz6EXS1Zh7GGYwjyq5wWSlG+nHps+EOz6uzRXgxdV1MZBto
LpXLJXHGbiGBO9LuvSYTHxlldFqKCrAmqLMA4+CyLJE3CES+o3rYDds9oywnlChu
T9mvNz4xUNyJwur4ZiIlMHqK/i9d9iqg4cCi13l+sTkwGMHkVvg=
=iXxa
-----END PGP SIGNATURE-----

--
To unsubscribe from this list send an email to [hidden email]