Shib IDP v3 integration with Cylance
Losen, Stephen C. (scl)
scl at virginia.edu
Tue Mar 20 07:29:28 EDT 2018
Hi folks,
Are there tools or test scripts for the various known XML parsing vulnerabilities? Scott, how do you test an SP to see if it is vulnerable? If you give the vendor a "repeat-by" procedure then they may be more responsive.
I recently saw the report of the simplesamlphp XML vulnerabilities which are completely different than the xmltooling library issues. Simplesamlphp (erroneously) does not distinguish private key signature algorithms from symmetric key. So an attacker can take the public key of a victim IDP (which is public knowledge) and sign an arbitrary assertion using the public key and HMAC (symmetric key algorithm). Then the simplesamlphp SP verifies the key by checking the IDP metadata and verifies the signature with HMAC, which is successful.
Any tools or test scripts for this problem or others out there?
Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at virginia.edu 434-924-0640
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Monday, March 19, 2018 7:54 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Shib IDP v3 integration with Cylance
On 3/19/18, 6:37 PM, "users on behalf of Phil Pishioneri" <users-bounces at shibboleth.net on behalf of pgp at pSu.edu> wrote:
> We told our local Cylance admin about the advisory and asked to pass it along to Cylance.
Without naming names (yet), I'll just say that if you intend to be safe, you have no choice at this stage but to test or find somebody else to. Vendors are currently in denial mode or don't understand how any of this works well enough to even recognize they're playing the role that can be vulnerable (or are in some cases outright claiming the IdP is the vulnerable half). You will not get any adequate response unless you force the issue right now, it's too early.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list