Shib IDP v3 integration with Cylance

Losen, Stephen C. (scl) scl at
Tue Mar 20 07:29:28 EDT 2018

Hi folks,

Are there tools or test scripts for the various known XML parsing vulnerabilities?  Scott, how do you test an SP to see if it is vulnerable?  If you give the vendor a "repeat-by" procedure then they may be more responsive.

I recently saw the report of the simplesamlphp XML vulnerabilities which are completely different than the xmltooling library issues. Simplesamlphp (erroneously) does not distinguish private key signature algorithms from symmetric key.  So an attacker can take the public key of a victim IDP (which is public knowledge) and sign an arbitrary assertion using the public key and HMAC (symmetric key algorithm).  Then the simplesamlphp SP verifies the key by checking the IDP metadata and verifies the signature with HMAC, which is successful.

Any tools or test scripts for this problem or others out there?

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at    434-924-0640

-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: Monday, March 19, 2018 7:54 PM
To: Shib Users <users at>
Subject: Re: Shib IDP v3 integration with Cylance

On 3/19/18, 6:37 PM, "users on behalf of Phil Pishioneri" <users-bounces at on behalf of pgp at> wrote:
> We told our local Cylance admin about the advisory and asked to pass it along to Cylance.

Without naming names (yet), I'll just say that if you intend to be safe, you have no choice at this stage but to test or find somebody else to. Vendors are currently in denial mode or don't understand how any of this works well enough to even recognize they're playing the role that can be vulnerable (or are in some cases outright claiming the IdP is the vulnerable half). You will not get any adequate response unless you force the issue right now, it's too early.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list