Shibboleth Service Provider (SP) Vulnerability

A security advisor was recently issued indicating that if you are using the current Shibboleth SP on your application, it has been identified as vulnerable to forged user attribute data and that UBC’s Shibboleth implementation is impacted.

Shibboleth SP software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type Definition (DTD) processing. Through addition/manipulation of a DTD, it is possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information. While the use of XML Encryption can serve as a mitigation for this bug, it may still be possible to construct attacks in such cases, and the SP does not provide a means to enforce its use.

We have informed all of our CWL Integration Partners about this critical vulnerability and the recommended solution; an updated version of XMLTooling-C (V1.6.3) is available that works around this specific bug.

More information on this vulnerability can be found here:

hxxps://nvd.nist.gov/vuln/detail/CVE-2018-0486 *
hxxps://securitytracker.com/id/1040177
hxxps://lists.debian.org/debian-security-announce/2018/msg00007.html
hxxps://shibboleth.net/community/advisories/secadv_20180112.txt
hxxps://www.debian.org/security/2018/dsa-4085

If you have any questions, please contact us through the webform:
hxxps://web.it.ubc.ca/forms/iam/

*Note: For added security, we have changed links to include an hxxps:// prefix. This removes the hyperlink from the message. Simply copy and paste the URL into a web browser and replace hxxps:// with https://. Together we can keep our information secure.

 

        -----BEGIN PGP SIGNED MESSAGE-----
       Hash: SHA512


       Shibboleth Service Provider Security Advisory [12 January 2018]

       An updated version of the Shibboleth Project's XMLTooling library is
       available which corrects a critical security issue.


       Shibboleth SP software vulnerable to forged user attribute data
       ====================================================================
       The Service Provider software relies on a generic XML parser to process
       SAML responses and there are limitations in older versions of the parser
       that make it impossible to fully disable Document Type Definition (DTD)
       processing.

       Through addition/manipulation of a DTD, it's possible to make changes
       to an XML document that do not break a digital signature but are
       mishandled by the SP and its libraries. These manipulations can alter
       the user data passed through to applications behind the SP and result
       in impersonation attacks and exposure of protected information.

       While the use of XML Encryption can serve as a mitigation for this bug,
       it may still be possible to construct attacks in such cases, and the SP
       does not provide a means to enforce its use.

       An updated version of XMLTooling-C (V1.6.3) is available that works
       around this specific bug.

       While newer versions of the parser are configured by the SP into
       disallowing the use of a DTD via an environment variable, this feature
       is not present in the parser used on some supported platforms (notably
       Red Hat and CentOS 7), so an additional fix is being provided now that
       an actual DTD exploit has been identified.

       While it is possible to determine whether one is already immune to this
       bug, the installation of this patch is a simpler step, and strongly
       encouraged. Notably, however "current" Windows installs of V2.6.0 and
       later are *not* impacted by the bug, so this patch can be treated as lower
       priority on that platform.

       This vulnerability has been assigned CVE-2018-0486.

       Recommendations
       ===============
       Upgrade to V1.6.3 or later of the XMLTooling-C library and restart the
       affected processes (shibd, Apache, etc.)

       Linux installations relying on official RPM packages can upgrade to
       the latest package versions to obtain the fix.

       The MacPort has also been updated.

       Windows systems can upgrade to the latest Service Provider release
       (V2.6.1.3) which contains the appropriately updated libraries. [1]


       Credits
       =======
       Philip Huppert, RedTeam Pentesting

       [1] https://shibboleth.net/downloads/service-provider/2.6.1/

       URL for this Security Advisory:
       https://shibboleth.net/community/advisories/secadv_20180112.txt

       -----BEGIN PGP SIGNATURE-----

       iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlpY1OAACgkQN4uEVAIn
       eWKIhw//RXdMFS0ez8N7+9b9HGoPdWXVPvw+LGK0aVL2tkhHeRiDvzrIJng4o/35
       Mm6e02dm4YI2U0aObUH9Ns0AQZLCzUblOaVupysd0NWy0imvieJJHGDuoWLR9DeP
       ehLH8FOKlGjNHGcmkf70JWpVWPFCdO3J0PXdxrFey2dHbAu5Npf5aQanIvrEtiDu
       lAvBrEJKasRxZ9zXjrc6Nl7C6Mk+7LOuZLYj2XaQeriRxMWER5ArStdk4VCBxq1G
       g3RELwdWxwRM3dCg+kQMZTkClvL/uYwJbSrlk6JQus80drJ2u8tPjuRMFkhvBm15
       ylEU6d123vISZqRiKoVGsHhz9p3W+EJ5TfWwq8mrxHRLBwyvVVyHePT0aQmGdxiC
       +uHp4jOiPYh0FLWNqRioo79rOtxpHKQXMqCSoA9v9DtfESkYr/lw4mXcL+ZySY9n
       6UXVihz5PLMaqMXWuX590xGIcSpnihMFBOGxymQ8CqNfUhrxZpHsrfh6b78iqIV+
       EsOan7w5XJ9GifaOsVy2nT5u5TQ9KQpz9UFAUfNxQ4DiRk6x1sTPnLj0gSy+ttn6
       S63QnT6PkIzGdgl+60BXmKiL+4vgYdBetfe3o9ZPFL2zs4nVQxw20zqbyh2ZZZ3Z
       x9NrMwuDL6IUiK+pdfsVL5EL7UKokmVKRDERit5ElrxzmpT25qA=
       =fxWs
       -----END PGP SIGNATURE-----