Shibboleth Service Provider Security Advisory [21 July 2015] for ShibSP < 2.5.5

Bug #1480765 reported by Nathan Robertson on 2015-08-03
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shibboleth-sp2 (Ubuntu)
Undecided
Unassigned

Bug Description

The following email was sent to <email address hidden> on 21st July 2015:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Service Provider Security Advisory [21 July 2015]

An updated version of the Shibboleth Project's OpenSAML software in
C++ is available which corrects a security issue. This issue affects
the operation of the Service Provider software.

Shibboleth SP software crashes on well-formed but invalid XML
====================================================================
The Service Provider software contains a code path with an uncaught
exception that can be triggered by an unauthenticated attacker by
supplying well-formed but schema-invalid XML in the form of SAML
metadata or SAML protocol messages. The result is a crash and so
causes a denial of service.

Updated versions of OpenSAML-C (V2.5.5) and XMLTooling-C (V1.5.5)
are available that correct this bug.

This vulnerability has been assigned CVE-2015-2684.

Recommendations
===============
Where possible, upgrade to V2.5.5 or later of the OpenSAML-C library
and to V1.5.5 of the XMLTooling-C library. Correcting this bug requires
that the OpenSAML library be rebuilt against the corrected version of
the XMLTooling-C library, which is normally assured by obtaining
updates to both.

Linux installations relying on official RPM packages can upgrade to
the latest package versions to obtain the fix.

The MacPorts have also been updated.

Windows systems should upgrade to the latest Service Provider release
(V2.5.5) which contains the appropriately updated libraries. [1]

In the interim, a partial mitigation for this issue can be accomplished
by enforcing schema validation of SAML metadata and/or SAML protocol
messages in the SP configuration. This will prevent a crash, but may
result in problems interoperating with metadata or partners that are
currently functioning because of the more lax validation done by
default. While these are bugs in those metadata sources or peer
systems, they may nonetheless need to be accommodated.

To enforce schema validation of metadata, you may add an XML attribute,
validate="true", to any <MetadataProvider> element used:

  <MetadataProvider validate="true" ... >

To enforce schema validation of protocol messages, you may add the same
XML attribute to the <Policy> element in the security-policy.xml file:

<SecurityPolicies xmlns="urn:mace:shibboleth:2.0:native:sp:config">
    <Policy id="default" validate="true">
    ...

Credits
=======
Thanks to the InCommon Shibboleth Training team for reporting this
issue and assisting with diagnosis and verifying the fix.

[1] http://shibboleth.net/downloads/service-provider/2.5.5/

URL for this Security Advisory:
http://shibboleth.net/community/advisories/secadv_20150721.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVrcGmAAoJEDeLhFQCJ3lit6oQAMges5cPWoGhRX0hHhPIZc20
avhQ4Ym+9X+z2dMgBq8Azsl+JoWn0o0gMx5abp4kkPfM41e4YwDvj4A1TDe6qDJd
3d6NuXIDB4VRYKPrHnhWjC1AXwdk0H2u5nWH1E+XnYcKvVQwbHwQBxF6wdT8EN/0
c+lDUyzhAcfnTil1LhBW7R4r8TwfLsUhFWdOo6JkoitxCjRUpiOkjSpLvkUGccN/
C7gs+JjflK+kcUUasiABUPOXotUjB1gCoEicpgaPan2fdDZCaq3HZS7EEY5ZVB9C
3DEHbZizjTJl7STqP4jR3GzW0SVQ3kZWFJJsN6jOkIngAK+TbXRbmibo1Thm/eBv
W8CdeAji8Xei4+4q0XukBKWWAn03+tukwm7vjEFqJ2CTYNNNsLHlx7yMqlxHe++a
eyq5KGJhS4kFyyejtKkOwmPdIdJzaF7tVtp2Bl+1R7DWQCWXwg9jbkKun5Qnt3Fb
5hUTpyOnPtdXw0lpt2zZ1V0CO0zgVxnLYHHJ6fED4HqvxxjW68D/lUasdbQYNinK
vz/5ZmTo0MJrDgkv4755AvNrxzO8mn+f2235iclmADYpgSPUw4bp7VN8yUMkuODa
rdoztJ3HzPEBkjgLH/33WQMNNF0+LM1yi6mHDy+J0GgVL7KjqBgojkSR2xkoES9C
63upVNkg0bi4lMDOQPfG
=AIpd
-----END PGP SIGNATURE-----

CVE References

Nathan Robertson (nathanr) wrote :

Upstream has a backport of the 2.5.4 security fix, from March 2015, which also has not been applied (2.5.3+dfsg-2).

Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in shibboleth-sp2 (Ubuntu):
status: New → Incomplete
information type: Private Security → Public Security
Seth Arnold (seth-arnold) wrote :

If you're able to work on this, please note that there is an older issue still open that probably needs to be addressed, too:

http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-6440.html

Thanks

Launchpad Janitor (janitor) wrote :

[Expired for shibboleth-sp2 (Ubuntu) because there has been no activity for 60 days.]

Changed in shibboleth-sp2 (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers