Shibboleth Service Provider Security Advisory [15 November 2017]

Cantor, Scott cantor.2 at osu.edu
Wed Nov 15 09:23:01 EST 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Service Provider Security Advisory [15 November 2017]

An updated version of the Shibboleth Service Provider software
is available which corrects a critical security issue in the
"Dynamic" metadata provider plugin.

Deployers making use of the affected feature should apply the
relevant update at the soonest possible moment.

NOTE: CVEs for this issue are forthcoming from the Debian Project
and this advisory will be updated if and when they are obtained.

Dynamic MetadataProvider fails to install security filters
============================================================
The Shibboleth Service Provider software includes a MetadataProvider
plugin with the plugin type "Dynamic" to obtain metadata on demand
from a query server, in place of the more typical mode of downloading
aggregates separately containing all of the metadata to load.

All the plugin types rely on MetadataFilter plugins to perform critical
security checks such as signature verification, enforcement of validity
periods, and other checks specific to deployments.

Due to a coding error, the "Dynamic" plugin fails to configure itself
with the filters provided to it and thus omits whatever checks they are
intended to perform, which will typically leave deployments vulnerable
to active attacks involving the substitution of metadata if the network
path to the query service is compromised.

Affected Systems
==================
All versions of the Service Provider software prior to V2.6.1 contain
this vulnerability.

There are no known mitigations to prevent this attack apart from
applying this update. Deployers should take immediate steps, and
may wish to disable the use of this feature until the upgrade is done.

Service Provider Deployer Recommendations
===========================================
Upgrade to V2.6.1 or later of the Service Provider and restart the
shibd service/daemon.

Sites relying on official RPM packages or Macports can update via the
yum and port commands respectively.

For those using platforms unsupported by the project team directly,
refer to your vendor or package source directly for information on
obtaining the fixed version. If the update from your vendor lags,
you may consider building from source for your own use as an interim
step.

The patch commit that corrects this issue can be found at [1].

Additional Recommendations for Federation Operators
=====================================================
Operators of metadata query services in support of this feature may
wish to consider implementing security checks after a suitable upgrade
window has elapsed to prevent use of affected versions or follow up
with deployers. The User Agent string in requests to the service
will contain the version of the software.

Note Regarding OpenSAML Library
=================================
An identical issue exists in the DynamicMetadataProvider class in
the OpenSAML-C library in all versions prior to V2.6.1. Applications
making direct use of this library must be independently updated to
correct this vulnerability, but this fix does not correct the issue
with respect to the use of the Shibboleth SP.

The patch commit that corrects the OpenSAML issue can be found at [2].

Credits
=========
Rod Widdowson, Steading System Software LLP

[1] https://git.shibboleth.net/view/?p=cpp-sp.git;a=commit;
h=b66cceb0e992c351ad5e2c665229ede82f261b16

[2] https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;
h=6182b0acf2df670e75423c2ed7afe6950ef11c9d

URL for this Security Advisory:
http://shibboleth.internet2.edu/secadv/secadv_20171115.txt
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAloMTQcACgkQN4uEVAIn
eWJMWxAAm3MDy4+F1ZkucE9+qRjd5Th+/KMkd5CkSTz26GbAmAV8Mg8c7L5mg5eV
2J0NiIAr3rtfGPbfOKQhhlYNdIfPkVT+5EihKWewd64dLdASbItu2jh89T2Zubys
Gsj3bcVKhOMfXRQxhm70Fdvs248+axihbHj7cOfNDhLXIUSgZVoH+dPpCrXz0g7s
0wAx+tDsETw1oBoBEao/NsYqcHlwYxhWVWRlIi7JE9gDXZnqGZdVUCz9TZLlY/Dz
L3YlK6z382BQRU3iMJvVqPVzykXFuSMng4ttdRd02SuF1gwt+FRFq/og0Zg+KDso
Ocmxf4PWWHqg/Hxan0hKJzYWX3XWXcb8XGtyK84nQ+l3IbGv2hgg404zEveFnSqa
tMScXK4jkr/bBNMByBs61KXET2R1wpLoftMChbmLVEmlUt242nTSvsWrfDmd5dfn
89K0qETkfqndQSPJrn6Fz2UUe78rrduCvws4s6zgE/IqLBdKaTHUsnkr0lggP6wJ
RawHbkbYuDRLTRkqdCYImAZabPHzT3LPy/2c/JOaViVLSEG9QKrh0cPjDUpehCaQ
ohMhEz1IWyMAuIBNok/npAjH9n8psMOHyjU0PxR50gHnsfrDU6pEJMn9nFBEL8fX
Jd066LS5n4EpQ4b09Srde6NFkzvDfofsNTwsw5Pq+dz8f8aTPuc=
=0cm+
-----END PGP SIGNATURE-----




More information about the announce mailing list