Vulnerability & Exploit Database

Back to search

FreeBSD: VID-22438240-1BD0-11E8-A2EC-6CC21735F730 (CVE-2018-0489): shibboleth-sp -- vulnerable to forged user attribute data

Severity CVSS Published Added Modified
6 (AV:N/AC:L/Au:N/C:P/I:P/A:N) February 27, 2018 February 28, 2018 May 15, 2018

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-22438240-1BD0-11E8-A2EC-6CC21735F730:

Shibboleth consortium reports:

Shibboleth SP software vulnerable to additional data forgery flaws

The XML processing performed by the Service Provider software has

been found to be vulnerable to new flaws similar in nature to the

one addressed in an advisory last month.

These bugs involve the use of other XML constructs rather than

entity references, and therefore required additional mitigation once

discovered. As with the previous issue, this flaw allows for

changes to an XML document that do not break a digital signature but

can alter the user data passed through to applications behind the SP

and result in impersonation attacks and exposure of protected

information.

As before, the use of XML Encryption is a significant mitigation,

but we have not dismissed the possibility that attacks on the

Response "envelope" may be possible, in both the original and this

new case. No actual attacks of this nature are known, so deployers

should prioritize patching systems that expect to handle unencrypted

SAML assertions.

An updated version of XMLTooling-C (V1.6.4) is available that

protects against these new attacks, and should help prevent similar

vulnerabilities in the future.

Unlike the previous case, these bugs are NOT prevented by any

existing Xerces-C parser version on any platform and cannot be

addressed by any means other than the updated XMLTooling-C library.

The Service Provider software relies on a generic XML parser to

process SAML responses and there are limitations in older versions

of the parser that make it impossible to fully disable Document Type

Definition (DTD) processing.

Through addition/manipulation of a DTD, it's possible to make

changes to an XML document that do not break a digital signature but

are mishandled by the SP and its libraries. These manipulations can

alter the user data passed through to applications behind the SP and

result in impersonation attacks and exposure of protected

information.

While newer versions of the xerces-c3 parser are configured by the

SP into disallowing the use of a DTD via an environment variable,

this feature is not present in the xerces-c3 parser before version

3.1.4, so an additional fix is being provided now that an actual DTD

exploit has been identified. Xerces-c3-3.1.4 was committed to the

ports tree already on 2016-07-26.

Scan For This Vulnerability

Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities

 Free InsightVM Trial

References

Solution

freebsd-upgrade-package-xerces-c3