SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   Shibboleth Service Provider Vendors:   Shibboleth
Shibboleth Service Provider Lets Remote Users Modify User Attribute Data on the Target System
SecurityTracker Alert ID:  1040177
SecurityTracker URL:  http://securitytracker.com/id/1040177
CVE Reference:   CVE-2018-0486   (Links to External Site)
Updated:  Jan 16 2018
Original Entry Date:  Jan 12 2018
Impact:   Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in Shibboleth Service Provider. A remote user can modify user attribute data on the target system.

A remote user can add or modify a Document Type Definition (DTD) to trigger a flaw in the XMLTooling library and bypass digital signature verification. This can be exploited to modify user attribute data and impersonate a user or obtain potentially sensitive information.

The vendor was notified on January 10, 2018.

The original advisory and demonstration exploit is available at:

https://www.redteam-pentesting.de/advisories/rt-sa-2017-013

Philip Huppert, RedTeam Pentesting, reported this vulnerability.

Impact:   A remote user can bypass digital signature verification to impersonate a user or obtain potentially sensitive information.
Solution:   The vendor has issued a fix (2.6.1.3; or upgrade XMLTooling-C library to version 1.6.3).

[Editor's note: The vendor indicates that "current" Windows installs of version 2.6.0 and later are not affected.]

The vendor advisory is available at:

https://shibboleth.net/community/advisories/secadv_20180112.txt

Vendor URL:  shibboleth.net/community/advisories/secadv_20180112.txt (Links to External Site)
Cause:   Authentication error

Message History:   None.


 Source Message Contents

Subject:  Shibboleth Service Provider Security Advisory [2018-01-12]

 -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Shibboleth Service Provider Security Advisory [12 January 2018]

An updated version of the Shibboleth Project's XMLTooling library is
available which corrects a critical security issue.


Shibboleth SP software vulnerable to forged user attribute data
====================================================================
The Service Provider software relies on a generic XML parser to process
SAML responses and there are limitations in older versions of the parser
that make it impossible to fully disable Document Type Definition (DTD)
processing.

Through addition/manipulation of a DTD, it's possible to make changes
to an XML document that do not break a digital signature but are
mishandled by the SP and its libraries. These manipulations can alter
the user data passed through to applications behind the SP and result
in impersonation attacks and exposure of protected information.

While the use of XML Encryption can serve as a mitigation for this bug,
it may still be possible to construct attacks in such cases, and the SP
does not provide a means to enforce its use.

An updated version of XMLTooling-C (V1.6.3) is available that works
around this specific bug.

While newer versions of the parser are configured by the SP into
disallowing the use of a DTD via an environment variable, this feature
is not present in the parser used on some supported platforms (notably
Red Hat and CentOS 7), so an additional fix is being provided now that
an actual DTD exploit has been identified.

While it is possible to determine whether one is already immune to this
bug, the installation of this patch is a simpler step, and strongly
encouraged. Notably, however "current" Windows installs of V2.6.0 and
later are *not* impacted by the bug, so this patch can be treated as lower
priority on that platform.

This vulnerability has been assigned CVE-2018-0486.

Recommendations
===============
Upgrade to V1.6.3 or later of the XMLTooling-C library and restart the
affected processes (shibd, Apache, etc.)

Linux installations relying on official RPM packages can upgrade to
the latest package versions to obtain the fix.

The MacPort has also been updated.

Windows systems can upgrade to the latest Service Provider release
(V2.6.1.3) which contains the appropriately updated libraries. [1]


Credits
=======
Philip Huppert, RedTeam Pentesting

[1] https://shibboleth.net/downloads/service-provider/2.6.1/

URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20180112.txt

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlpY1OAACgkQN4uEVAIn
eWKIhw//RXdMFS0ez8N7+9b9HGoPdWXVPvw+LGK0aVL2tkhHeRiDvzrIJng4o/35
Mm6e02dm4YI2U0aObUH9Ns0AQZLCzUblOaVupysd0NWy0imvieJJHGDuoWLR9DeP
ehLH8FOKlGjNHGcmkf70JWpVWPFCdO3J0PXdxrFey2dHbAu5Npf5aQanIvrEtiDu
lAvBrEJKasRxZ9zXjrc6Nl7C6Mk+7LOuZLYj2XaQeriRxMWER5ArStdk4VCBxq1G
g3RELwdWxwRM3dCg+kQMZTkClvL/uYwJbSrlk6JQus80drJ2u8tPjuRMFkhvBm15
ylEU6d123vISZqRiKoVGsHhz9p3W+EJ5TfWwq8mrxHRLBwyvVVyHePT0aQmGdxiC
+uHp4jOiPYh0FLWNqRioo79rOtxpHKQXMqCSoA9v9DtfESkYr/lw4mXcL+ZySY9n
6UXVihz5PLMaqMXWuX590xGIcSpnihMFBOGxymQ8CqNfUhrxZpHsrfh6b78iqIV+
EsOan7w5XJ9GifaOsVy2nT5u5TQ9KQpz9UFAUfNxQ4DiRk6x1sTPnLj0gSy+ttn6
S63QnT6PkIzGdgl+60BXmKiL+4vgYdBetfe3o9ZPFL2zs4nVQxw20zqbyh2ZZZ3Z
x9NrMwuDL6IUiK+pdfsVL5EL7UKokmVKRDERit5ElrxzmpT25qA=
=fxWs
-----END PGP SIGNATURE-----

--
To unsubscribe from this list send an email to announce-unsubscribe@shibboleth.net
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC