Ubuntu
shibboleth-sp package

CVE-2021-31826: Session recovery feature contains a null pointer deference

Bug #1926250 reported by Etienne Dysli Metref
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shibboleth-sp (Debian)
Fix Released
Unknown
shibboleth-sp (Ubuntu)
Fix Released
Medium
Steve Beattie

Bug Description

Upstream advisory: https://shibboleth.net/community/advisories/secadv_20210426.txt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Service Provider Security Advisory [26 April 2021]

An updated version of the Service Provider software is now
available which corrects a denial of service vulnerability.

Session recovery feature contains a null pointer deference
======================================================================
The cookie-based session recovery feature added in V3.0 contains a
flaw that is exploitable on systems *not* using the feature if a
specially crafted cookie is supplied.

This manifests as a crash in the shibd daemon/service process.

Because it is very simple to trigger this condition remotely, it
results in a potential denial of service condition exploitable by
a remote, unauthenticated attacker.

Versions without this feature (prior to V3.0) are not vulnerable
to this particular issue.

Recommendations
===============
Update to V3.2.2 or later of the Service Provider software, which
is now available.

In cases where this is not immediately possible, configuring a
DataSealer component in shibboleth2.xml (even if used for nothing)
will work around the vulnerability.

For example:

<DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />

This workaround is only possible after having updated the
core configuration to the V3 XML namespace.

Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
5a47c3b9378f4c49392dd4d15189b70956f9f2ec

URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20210426.txt

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmCGtDAACgkQN4uEVAIn
eWIETw/+NlYyGaq1rjD0h37Yvdb5pwyaR5tsRBDx+xIC3O8Bg9Ku7ijaeyyFM75N
iyNzPZNafHTP1j9smpjeRSVvfzZ2qNOhiU7XikhsSjjA1y0ZEY/uBaSJ0S4of79b
z2avqzeEEIU1Ot2C0VFAxN8RFRKhmw/DJba1QiMulc0R3Hj2BOGjEmucSDNfXPIO
AedwmUCNynDZZLragwvyjhKlcomwY7j/ODGzmJeVQ/r2hRnEDQuzXBpItjWhW0L/
o51dIuDTfVyRoD5NnPTLWVtZ2J4/lQGjVY7zHd6UA/FgugdmPqMycPFqAkpjWj/h
4R3DpeuwzZHoh6ty6QFtz8Rw/9wpu5khK5tHo7num+SJenOrb6L3iYr5Mtjirf/C
iomS6xyy3XGnJ7d47BDR3ONJCo//XH8sKQx+ONkWe5MrB7DhlEY7rbYDXng/Qewr
s2qnR3JcQWI4OW/Zu6xYycnsmhkqIiwSC364TL0TRYb7nRXloaRqG9F/nnLaaXHU
oJn8AOanAdD9f/y1dAZ9JZkNIHNvpSCxoVHgRt3SJ0CGTClbkCRlEziLiHMw1+zY
KGXv+YsxysAu0fRcM+uxi9tg0f6n2HxLvdxFh3/JHaueg+2IWQd/zRtBC7OFXdZm
sPCJzAHytHyAqQUFDFNfSmRCTbVZne7Xjos/1w1OyKpa8xGrdsk=
=+5e9
-----END PGP SIGNATURE-----

CVE References

Etienne Dysli Metref (etienne-dysli-metref)
information type: Private Security → Public Security
Bug Watch Updater (bug-watch-updater)
Changed in shibboleth-sp (Debian):
status: Unknown → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
Bug Watch Updater (bug-watch-updater)
Changed in shibboleth-sp (Debian):
status: Confirmed → Fix Released
Revision history for this message
Etienne Dysli Metref (etienne-dysli-metref) wrote :

Patch for focal copied from Debian buster's 3.0.4 security fix. Please review! :)

Mathew Hodson (mhodson)
Changed in shibboleth-sp (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi Etienne,

Thanks for preparing the debdiff, it looks fine. I've gone ahead and uploaded it to the https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ where builds should appear shortly. Any testing of the built packages would be appreciated.

Thanks again!

Changed in shibboleth-sp (Ubuntu):
status: New → In Progress
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shibboleth-sp - 3.0.4+dfsg1-1ubuntu0.2

---------------
shibboleth-sp (3.0.4+dfsg1-1ubuntu0.2) focal-security; urgency=high

  * SECURITY UPDATE: Session recovery feature contains a null pointer
    deference (LP: #1926250)
    - debian/patches/SSPCPP-927-Check-for-missing-DataSealer-during-cookie-
      rec.patch: Check for missing DataSealer during cookie recovery
    - https://shibboleth.net/community/advisories/secadv_20210426.txt
    - https://issues.shibboleth.net/jira/browse/SSPCPP-927
    - CVE-2021-31826

 -- Etienne Dysli Metref <email address hidden> Thu, 10 Jun 2021 11:30:02 +0200

Changed in shibboleth-sp (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.