Source: opensaml2 Version: 2.5.3-2 Severity: grave Tags: patch security upstream Justification: user security hole Control: clone -1 -2 Control: reassign -2 shibboleth-sp2 2.5.3+dfsg-2 Control: retitle -2 shibboleth-sp2: Dynamic MetadataProvider fails to install security filters (SSCPP-763)
Hi As per https://shibboleth.net/community/advisories/secadv_20171115.txt an issue affecting opensaml2 and shibboleth-sp2: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [15 November 2017] An updated version of the Shibboleth Service Provider software is available which corrects a critical security issue in the "Dynamic" metadata provider plugin. Deployers making use of the affected feature should apply the relevant update at the soonest possible moment. NOTE: CVEs for this issue are forthcoming from the Debian Project and this advisory will be updated if and when they are obtained. Dynamic MetadataProvider fails to install security filters ============================================================ The Shibboleth Service Provider software includes a MetadataProvider plugin with the plugin type "Dynamic" to obtain metadata on demand from a query server, in place of the more typical mode of downloading aggregates separately containing all of the metadata to load. All the plugin types rely on MetadataFilter plugins to perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments. Due to a coding error, the "Dynamic" plugin fails to configure itself with the filters provided to it and thus omits whatever checks they are intended to perform, which will typically leave deployments vulnerable to active attacks involving the substitution of metadata if the network path to the query service is compromised. Affected Systems ================== All versions of the Service Provider software prior to V2.6.1 contain this vulnerability. There are no known mitigations to prevent this attack apart from applying this update. Deployers should take immediate steps, and may wish to disable the use of this feature until the upgrade is done. Service Provider Deployer Recommendations =========================================== Upgrade to V2.6.1 or later of the Service Provider and restart the shibd service/daemon. Sites relying on official RPM packages or Macports can update via the yum and port commands respectively. For those using platforms unsupported by the project team directly, refer to your vendor or package source directly for information on obtaining the fixed version. If the update from your vendor lags, you may consider building from source for your own use as an interim step. The patch commit that corrects this issue can be found at [1]. Additional Recommendations for Federation Operators ===================================================== Operators of metadata query services in support of this feature may wish to consider implementing security checks after a suitable upgrade window has elapsed to prevent use of affected versions or follow up with deployers. The User Agent string in requests to the service will contain the version of the software. Note Regarding OpenSAML Library ================================= An identical issue exists in the DynamicMetadataProvider class in the OpenSAML-C library in all versions prior to V2.6.1. Applications making direct use of this library must be independently updated to correct this vulnerability, but this fix does not correct the issue with respect to the use of the Shibboleth SP. The patch commit that corrects the OpenSAML issue can be found at [2]. Credits ========= Rod Widdowson, Steading System Software LLP [1] https://git.shibboleth.net/view/?p=cpp-sp.git;a=commit; h=b66cceb0e992c351ad5e2c665229ede82f261b16 [2] https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit; h=6182b0acf2df670e75423c2ed7afe6950ef11c9d URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20171115.txt -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAloMTwMACgkQN4uEVAIn eWKF4hAAqJxTRUQd/BxyQA4Cnq0ysA4A+Ld1+odGrBGQp4zKjmY4lK1SqbKKsPV3 7fJvFfmojZ5nWE/KtwHSoFyqAFqYLy/2MtwMUkF/lNQTQdgjVAJ0jTRSIvMZw0H+ PGfniwN+qSowwNQe6/nV9TbkSbFEfJSWcQ+VZkzchltwD4I2DQR7VTy4rlDfTj3L WTpz7+2927pawl0ELwYF4wdDf0JTA0b7hYy9Hbm0WZyOiN+nl//zTV2ZtzlwWt+k fNilA4BVl5OPmosp1FuPgsxCThRkHrr9SIwDeQDngSQqp8zomhDAuFLV6AZEuPXT hVoysaQDe12bbx6680uGSIvSs35qCiuqe8em+8Dek/Abiu0NDvPlpP01vMxYQc+U RN5emyWyFIbt4JDbYIaBz0sBYDcRNTMQrt/a5EQ1NCGx8mm5UIeDXacdd1MWb9hj f+KfO68JHMxZuONj5RysvByi6EyOuBuoGDsXoEzzGQQtmNa8e1wQurJYDnSAp+uA xayZKA2ea2FRpI0ON1UaZLARrn6o0Jf28FrbVO+h7e2wiX3la0oQKF5qBJ0sBYhP 5fXR/otDKeAz/3kZC/iSsDXY+ApLYurNk9AKMP4hfAfk5/xpBA7IisGk+w3RlJju d3iu9xFlcShS+pXbf1+P5qW1QFXZYnPU3gJlzTKcNbqcOPbLS/8= =IpAG -----END PGP SIGNATURE----- There is though the statement that CVEs will be assigned by the Debian project. This cannot be done, since the fix was already in the repository when asked and a CVE needs to be assigned via the MITRE primary CNA. Fixes for oldstable and stable are pending and already prepared by Ferenc Wágner. Regards, Salvatore
